Fedor Chunizhekov, Information Security Analyst at Positive Technologies talks about the evolving cybersecurity landscape in the region and highlights the key points from its “Cybersecurity threatscape in the Middle East” report that are impacting the Middle East. He also emphasized that to address the core security issues we need to follow a comprehensive approach to results-oriented cybersecurity
How has the cybersecurity landscape in the Middle East evolved in the past year?
The Middle East region is the perfect example of a tense cybersecurity landscape. This is due to a unique combination of a thriving economy and high rates of digitization that attracts the attention of malicious actors globally. It’s not a surprise that the losses suffered by Middle Eastern countries from cyberattacks are increasing every year.
In our recent “Cybersecurity threatscape in the Middle East” report, we found that 83% of all successful attacks in the Middle East were targeted in nature. This is because of numerous reasons:
- The Middle East is an important oil and gas production and transportation region. This makes the region particularly vulnerable to cyberattacks on critical infrastructure, such as oil and gas fields, power plants, ports, and airports.
- The geopolitical tensions in the region give rise to the constant activity of well-trained groups of threat actors who carry out targeted cyberattacks and conduct cyber espionage.
- There is a relevant threat from hacktivists whose attacks are not aimed at financial gain or data collection but rather at drawing public attention to various social or political issues through massive DDoS attacks and website defacement.
Another regional feature of the Middle East is the use of wipers by malicious actors in attacks using malware. When this malware infects a device, it erases all user and system files, causing the device to crash.
What are the main cybersecurity challenges faced by enterprises in the Middle East?
The significant security threats to countries in the Middle East in 2023 include:
- Cyberattacks on government organizations – Cybercriminals or APT groups may aim to compromise government systems to obtain confidential data, conduct cyberespionage, disrupt operations, or influence decision-making processes.
- Constant attacks on critical infrastructure – Attacks on critical infrastructure can have the most serious consequences for both the organization itself and the economy or security of the country. To achieve this, attackers may target organizations in the energy, telecommunications, financial, healthcare and transportation sectors.
- Ransomware – Much like the rest of the world, ransomware is a menace in the Middle East as well. These groups are a major threat in the region and according to a report, their activity increased by 77% in Q1 2023.
- Phishing and social engineering – Attacks based on phishing and social engineering methods will be carried out to gain access to organizations and individuals.
- Distribution of malware – Attacks using malware (remote access trojans, spyware, ransomware) will remain a serious threat to organizations and individual users.
- Hacktivism – Hacktivists can use website defacement, DDoS-attacks, or malware injection to damage information systems and gain unauthorized access to confidential information.
What is causing the increase in cyberattacks and what sectors of the economy are more vulnerable to such attacks?
In the Middle East, government agencies are the most attractive targets for cybercriminal attacks, accounting for 22% of the total number of attacks on organizations.
A distinguishing feature of attacks on Middle Eastern government agencies is that they are mainly carried out by APT groups (56%), covertly establishing themselves in the victim’s infrastructure for an extended period of time for the purpose of cyberespionage. These attackers are highly skilled and possess a whole arsenal of malware and exploits to compromise systems and exfiltrate data.
An interesting type of attack using social engineering was demonstrated by the TA456 group: the attackers created a fake profile of an attractive girl to gain the trust of government employees in their correspondence and distribute spyware. According to our threatscape report, the main consequences of cyberattacks on state institutions are the disruption of core activities (36%) and the leakage of confidential information (28%).
Industrial sector organizations constitute a significant portion of the GDP of Middle Eastern countries and are highly valued in the market while accumulating a large amount of confidential data, thereby attracting the attention of malicious actors: they rank second among the most targeted industries (16%).
Attackers gain access to the systems of their victims through attacks on users via social engineering channels (33%); in 62% of attacks using malware, remote administration tools were used, as well as wipers (31%).
Despite the consumption of so much technology over the years in the name of cybersecurity, why are organisations still exposed more than ever?
78% of cyberattacks on organizations in the Middle East region target computers, servers, and network equipment. This is due to the activity of APT groups that target end devices and servers, as well as ransomware groups.
Attacks on users (41% of organizations, 96% of individuals) are one of the most widespread current attack methods; the human factor was the cause of more than 80% of hacks in 2022 according to a report, including in the Middle East.
Web resources complete the top three most targeted objects among organizations—attackers exploit web vulnerabilities and steal user data. Additionally, web applications are the target of defacement and DDoS attacks by hacktivists.
What can organisations do to solve their cybersecurity issues?
Because of the increased activity of cybercriminals and the severity of the consequences of successful cyberattacks, organizations in the Middle East must prioritize cybersecurity.
They need to implement tools, services, and practices that can empower their ability to monitor and respond to information security incidents and boost the vigilance of their employees to prevent cyberattacks.
The most relevant methodology for addressing core security issues is a comprehensive approach to results-oriented cybersecurity, which aims to establish a robust and automated system for protecting the entire IT infrastructure.
To build such a system, organizations need to identify and assess the information assets that require protection, as well as determine how cyberattacks can hinder the success of the organization’s operational and strategic objectives.
Once the assets and non-tolerable events have been identified, the three key elements of effective cybersecurity need to be enabled:
1. Monitoring – A real-time security system should be aware of what is happening with protected assets and how well the infrastructure elements comply with secure settings.
Implementing SIEM (security information and event management) systems allows security teams to monitor and analyze security events, detect attacks, and assess the compliance of protected infrastructure elements with security requirements.
2. Response – The system must understand the attacker’s intent in order to respond quickly and effectively to incidents and prevent non-tolerable events.
The combination of XDR (extended detection and response) and SIEM solutions makes it possible to detect attacks in the infrastructure and respond to them both manually and automatically. Threat detection and response capabilities can be enhanced by using a sandbox for the statistical and dynamic analysis of threats such as advanced malware.
In the case of expert incident investigations, NTA (network traffic analysis) solutions are used for deep traffic analysis and detecting malicious activity. NTA solutions also act as SIEM sensors to display network status information and serve as a tool for proactive threat hunting.
3. Asset Management – One of the main functions of a security system is keeping a constant inventory of assets and their classification, taking into account non-tolerable events for the organization and ways that cyberattacks could develop.
Vulnerability management systems automate the processes of asset management and the detection and fixing of vulnerabilities in infrastructure components, depending on their severity level. VM systems also monitor the level of infrastructure protection against vulnerabilities exploited in real-world attacks.