With the intricacies of the digital world growing exponentially, the relevance of effective and timely Digital Forensics and Incident Response (DFIR) cannot be overstated. Recognising this need for insight, Binalyze, in collaboration with the global market intelligence firm IDC, is excited to publish a compelling new report: “The State of Digital Forensics and Incident Response 2023”.

Based on an extensive survey conducted in June 2023, the study brings into focus the perspectives of over 100 cybersecurity professionals from five Middle Eastern countries. This diverse respondent pool consists of individuals directly influencing the cybersecurity functions within their organizations, with roles spanning SOC analysts, DFIR professionals, Incident responders, Threat hunters, SOC managers, and Directors.

The key findings of the report are critical for anyone involved in DFIR, from SOC teams to individual analysts and investigators. Report highlights include:

• According to the research and subsequent analysis, the average time to investigate an incident is approximately 26.1 days, and the time to resolve incidents is an additional 17.1 days.
• The importance of reducing “detection-to-resolution” times for efficient incident management.
• The ongoing skills shortage: 81% of respondents identified this as a major challenge.

“Our world thrives on digital connections, but with this connectivity comes vulnerabilities. As the frequency and intensity of cyber threats surge, the importance of DFIR in understanding, mitigating, and learning from these threats is paramount. There is a real and urgent need for forensic visibility at speed and scale. AIR is a game changer here and should be at the centre of all SOCs DFIR effort,” says Ahmet Öztoprak, Senior Sales Director of META at Binalyze.

This report serves as both a wake-up call and a guide. By leveraging the insights from the top cybersecurity professionals in the Middle East, ‘The State of Digital Forensics and Incident Response 2023’ aims to provide companies with the knowledge and solutions they need to combat emerging cyber threats effectively and maintain resiliency.

Positive Technologies analyzed attacks on individuals in Middle Eastern countries between 2022 and 2023. Malware was used in 70% of successful attacks. More than half of these attacks involved spyware. The vast majority of attacks used social engineering techniques. In 20% of phishing campaigns, the attack was multi-pronged, exploiting multiple social engineering channels simultaneously.

“According to our data, cybercriminals employed malware in 7 out of 10 successful attacks on individuals in the Middle East region. More often than not, the attackers infected users’ devices with spyware (three out of five malware attacks). This type of malware collects information from the infected device and then passes it on to the attacker. Depending on the task, spyware can steal personal and financial data, user credentials, as well as files from the device’s memory,” the company said.

Positive Technologies Information Security Research Analyst Roman Reznikov said, “By using spyware, attackers can compromise not only personal and payment information and personal accounts, but also corporate credentials, network connection information, and other sensitive data. The stolen data is then offered for sale on the dark web forums. As a result, a skilled attacker can gain access to an organization and carry out a successful attack, leading to non-tolerable consequences: disruption of technological and business processes, theft of funds, leakage of confidential information, attacks on customers and partners.”

In the vast majority (96%) of successful attacks on individuals in Middle Eastern countries, social engineering techniques were employed. Most often, these were mass attacks in which the criminals aimed to reach the maximum number of victims. To achieve this, they actively leveraged current news about significant global and regional events, including the 2022 FIFA World Cup Qatar.

In every fifth (20%) phishing campaign, the attack was multi-pronged, exploiting multiple social engineering channels simultaneously. Criminals led the victims through a series of steps until the device was infected and data stolen. For instance, users could be lured through social media accounts that contained links to a messenger channel from which the victim would install a malicious application.

One of the reasons for the success of social engineering is the numerous data leaks from various organizations. “According to our research on the cybersecurity threatscape in the Middle East, 63% of successful attacks on individuals in the region resulted in leaks of confidential information. The majority of stolen information consisted of personal data (30%) and account credentials (30%). Cybercriminals were also interested in payment card data (10%) and user correspondence (8%).” the company added.

On the dark web, malicious actors sell information about users and also provide stolen data archives for free. Criminals use the compromised information in subsequent attacks on users. For example, a successful attack on a bank could result in fraudulent actions against its customers. Cybersecurity experts recommend that users follow cyber-hygiene rules.

Companies also need to ensure the security of employee and customer data. Data breaches cause reputational and financial damage and put at risk users whose information has been compromised. To maintain cyber-resilience, it’s essential to regularly assess the effectiveness of security measures and pay special attention to the verification of non-tolerable events.

Sophos has announced its discovery regarding the role of research contests within cybercrime forums. These contests serve as a source of inspiration for the development of new attack techniques and methods to evade detection. Remarkably, these contests closely resemble legitimate security conferences’ “Call For Papers” and offer substantial financial rewards, peer recognition, and potential job opportunities to the winners.

Sophos X-Ops has detailed these findings in its latest report, titled “For the Win? Offensive Research Contests on Criminal Forums.” The primary objective of these contests is to foster innovation, and upon closer examination, the submitted entries provide invaluable insights into how cybercriminals strategize to overcome security challenges.

Interestingly, the landscape of these criminal forum competitions has evolved significantly over time. In the early days, cybercrime contests featured trivia quizzes, graphic design competitions, and guessing games. However, contemporary criminal forums are now encouraging attackers to submit comprehensive articles on technical subjects, complete with source code, videos, and screenshots. Following the submission, all forum users are invited to vote for the contest’s victor. Nevertheless, it’s worth noting that the judging process isn’t entirely transparent, as forum owners and contest sponsors also hold influence over the final decision.

“The fact that cybercriminals are running, participating, and even sponsoring these contests, suggests that there is a community goal to advance their tactics and techniques. There is even evidence to suggest that these competitions act as a tool for recruitment amongst prominent threat actor groups,” said Christopher Budd, director of threat research, Sophos. “While our research shows an increased focus on Web-3 related topics such as cryptocurrency, smart contracts and NFTs, many of the winning entries had a broader appeal and could be put to practical use, even if they weren’t particularly novel. This may be reflective of the priorities of the community but could indicate that attackers keep their best research to themselves as they can profit more from using them in real-world attacks.”

Sophos X-Ops delved into the examination of two notable annual competitions: one hosted by the Russian-language cybercrime platform Exploit, which offered a substantial prize pool of $80,000 to its 2021 contest winner, and another conducted on the XSS forum, featuring a prize fund of $40,000 in the year 2022. These contests have received sponsorship from influential figures within the cybercriminal community over several years, with notable contributors including All World Cards and Lockbit.

In the most recent iterations of these contests, Exploit centered its competition around the theme of cryptocurrencies, whereas XSS broadened its scope to encompass various topics, ranging from social engineering and attack vectors to evasion tactics and scam proposals. Many of the victorious entries concentrated on the exploitation of legitimate tools, such as Cobalt Strike. One of the runners-up even shared a tutorial on targeting initial coin offerings (ICOs) to raise funds for a new cryptocurrency, while another provided insights into manipulating privilege tokens to disable Windows Defender.