In today’s complex cybersecurity landscape, understanding the nuances of real-world attacks versus the perceptions of IT professionals is crucial for effective threat mitigation. The Honeywell Gard USB Threat Report 2024 and DataLocker’s 2024 State of USB-Connected Devices report provide valuable insights into these dynamics, particularly concerning malware attacks via USB-connected devices. Let’s delve into the findings of these reports, explore the tactics and techniques involved, and analyze the differences in perception versus reality.

Real-World Threats: Honeywell Gard USB Threat Report 2024

The Honeywell Gard report highlights a significant threat posed by USB-borne malware, with 51% of malware discovered designed specifically for USB. The report emphasizes that USB-borne malware is often part of coordinated attack campaigns targeting industrial environments, capable of causing loss of view and control. From their analysis of Mitre ATT&CK tactics and techniques observed in inbound removable media, the distribution is as follows:

  • Discovery, Collection, and Exfiltration: 36%
  • Defense Evasion and Persistence: 29%
  • Credential Access and Privilege Escalation: 18%

***This report only provided 83% of the responses, versus 100%. When the percentages are modified as a percentage of 83 to compare to DataLocker’s 2024 State of USB-Connected Devices, the percentages are as follows:

  • Discovery, Collection, and Exfiltration: 43%
  • Defense Evasion and Persistence: 35%
  • Credential Access and Privilege Escalation: 22%

Perceptions of IT Professionals: DataLocker’s 2024 State of USB-Connected Devices

Contrastingly, when IT security professionals were asked about the most concerning stages of ATT&CK tactics and techniques related to USB-connected device malware, their responses indicated:

  • Discovery, Collection, and Exfiltration: 46%
  • Defense Evasion and Persistence: 27%
  • Credential Access and Privilege Escalation: 27%

Understanding Mitre ATT&CK Phases

To contextualize these findings, it’s essential to understand what occurs at each of these phases of the Mitre ATT&CK matrix:

1. Discovery, Collection, and Exfiltration

  • Discovery: Attackers gather information about the target environment, identifying vulnerabilities and sensitive data.
  • Collection: Once identified, attackers collect the data, which may include intellectual property, personal information, or operational details.
  • Exfiltration: The collected data is then transmitted out of the compromised network to the attacker’s control.

2. Defense Evasion and Persistence

  • Defense Evasion: Techniques used by attackers to avoid detection by security systems. This includes disabling security tools, obfuscating code, and using trusted processes.
  • Persistence: Methods to maintain access to compromised systems even after restarts or credential changes, ensuring long-term control over the environment.

3. Credential Access and Privilege Escalation

  • Credential Access: Obtaining valid credentials to access systems and data. This can involve techniques like keylogging, credential dumping, or phishing.
  • Privilege Escalation: Gaining higher-level permissions within the target environment, enabling broader control and access to sensitive areas.

Analysis: Discrepancies in Concern

Discovery, Collection, and Exfiltration: 3% Higher than Expected

IT professionals’ concerns about the phases of discovery, collection, and exfiltration were 3% higher than what real-world tactics and techniques indicate. This is a small discrepancy and was still marked as the top concern, which suggests the following:

  • Immediate Data Breach: IT professionals are concerned with Discovery, Collection, and Exfiltration because these stages directly result in data breaches. The immediate loss of sensitive data, including intellectual property, can have devastating consequences, including financial loss, reputational damage, and regulatory penalties.
  • Visibility and Impact: These stages are more visible and tangible to organizations. The impact of data exfiltration is often immediate and significant, prompting heightened concern.

Defense Evasion and Persistence: 7% Lower than Expected

Concerns about defense evasion and persistence were 7% lower among IT professionals compared to real-world tactics and techniques. This reduced concern is likely due to the following:

  • Overconfidence in Existing Defenses: IT professionals may have overconfidence in their existing security measures, believing they are more effective at preventing attackers from evading defenses and maintaining persistence within their networks. This can lead to underestimating the sophistication of modern evasion techniques.
  • Underestimating Advanced Threats: There may be a lack of awareness about the advanced methods attackers use to evade detection and maintain persistence. Techniques such as fileless malware and advanced persistent threats (APTs) are continuously evolving, and IT professionals might not be fully up-to-date on the latest tactics, leading to a lower perceived risk.

Credential Access and Privilege Escalation: 5% Higher than Expected

The perception of risk related to credential access and privilege escalation was 5% higher among IT professionals than indicated by real-world data. This concern is likely due to the following:

  • Critical Impact of Compromised Credentials: IT professionals recognize that once attackers obtain credentials and escalate privileges, they can gain significant control over the network. This stage can lead to widespread data breaches, sabotage, and unauthorized access to critical systems, making it a major concern.
  • Increased Keylogging and Spyware: The rise in keylogging and spyware, which often target credentials, has heightened awareness among IT professionals. They understand that compromised credentials are a common entry point for attackers, leading to increased vigilance and concern about this phase.

Implications for IT Security Strategy

Understanding these discrepancies is crucial for developing effective security strategies. IT professionals should consider the following:

  • Enhanced Monitoring and Detection: Focus on improving detection mechanisms for data discovery, collection, and exfiltration. Implement advanced monitoring tools to identify and mitigate these threats early.
  • Comprehensive Security Training: Educate employees about the risks associated with USB devices and promote best practices for handling removable media securely.
  • Multi-Layered Security Approach: Implement a robust security framework that includes not just endpoint protection but also network monitoring, data loss prevention, and regular security audits.

The insights from the Honeywell Gard and DataLocker reports highlight a critical need for aligning real-world threat data with IT professionals’ perceptions. By understanding the stages of the Mitre ATT&CK matrix and recognizing the primary concerns, organizations can better prepare for and defend against USB-borne malware attacks. Bridging this gap ensures a more proactive and comprehensive approach to cybersecurity, ultimately safeguarding valuable data and maintaining operational integrity.