Sector Overview
The professional, scientific, and technical services (PSTS) sector—ReliaQuest’s second-largest client segment—recorded an above-average rate of true-positive GreyMatter alerts at 2.9%.
The PSTS sector, with its large stores of sensitive data, extensive client network, and vulnerability to trust-eroding breaches, is particularly prone to supply chain attacks and is the second-most targeted by ransomware groups.
Nation-state groups target the sector with cyber espionage attacks to access intellectual property and politically valuable information. For this reason, organizations involved in strategic industries or with clients in the government sector face a higher risk of such attacks.
The PSTS sector relies heavily on specific tools, such as customer relationship management (CRM) software and remote access tools to manage its wide network of customers and employees. As a result, threat actors often exploit vulnerabilities in these tools or use phishing kits that impersonate the tools’ landing pages.
Top MITRE ATT&CK Techniques
During the reporting period, the most prevalent initial access technique used by attackers targeting the PSTS sector was the abuse of external remote services (T1133), such as VPNs and remote monitoring tools, which are commonly used due to the sector’s reliance on remote workforces. Additionally, exploiting public-facing applications (T1190) and spearphishing with links (T1566.002) were significant threats. Although phishing success rates were relatively low in the PSTS sector, the complexity of attacks leveraging valid account credentials (T1021.007) to access cloud services and move laterally within networks posed substantial risks.
MITRE ATT&CK ID | MITRE Technique | % of Incidents |
---|---|---|
T1133 | Initial Access & Persistence | External Remote Services | 23.8 |
T1021.007 | Lateral Movement | Remote Services: Cloud Services | 23.1 |
T1190 | Initial Access | Exploit Public-Facing Application | 7.9 |
T1566.002 | Initial Access | Phishing: Spearphishing Link | 4.9 |
T1534 | Lateral Movement | Enterprise: Internal Spearphishing | 4.1 |
GreyMatter Insights
- Benchmarking Performance: Organizations in the PSTS sector using automation and AI through ReliaQuest GreyMatter achieve an average Mean Time to Contain (MTTC) of five minutes, compared to five hours for manual strategies.
- Impact of MTTC: Faster MTTC minimizes incident impact, preventing threat actors from exfiltrating data, installing backdoors, or moving laterally within networks.
- Automated Response Plays (ARPs): ReliaQuest ARPs automatically contain threats upon detection, significantly reducing damage and preventing full-blown attacks.
- Example of ARP Effectiveness: ARPs can terminate malicious sessions and enforce password changes immediately upon detecting malicious code execution.
- Security-First Culture: The PSTS sector’s openness to automation and low risk tolerance underscores its commitment to an effective security operations program.
Dark Web and Digital Risk Insights
Threat actors actively target the PSTS sector on cybercriminal forums, selling direct access to corporate networks and compromising commonly used tools like CRM systems. Forum vendors often advertise phishing sites that mimic CRM tools to capture credentials and session cookies, bypassing two-factor authentication (2FA). Threat actors also exploit vulnerabilities in popular CRM tools, such as CVE-2024-36412, an unauthenticated SQL-injection vulnerability affecting SuiteCRM. Initial Access Brokers (IABs) play a significant role by selling corporate network access to threat actors, often through compromised VPNs and RDP tools, facilitating complex attacks like ransomware deployment. Notably, a 116% increase in instances of IABs advertising access to PSTS organizations was observed, driven by ransomware affiliates seeking network access.
The high prevalence of Credential Exposure alerts in GreyMatter DRP indicates active stealing and leaking of credentials, affecting both personal and corporate accounts. These stolen credentials are sold on dark web forums, enabling buyers to access internal systems, databases, and customer accounts, leading to financial losses and operational disruptions. Additionally, threat actors often develop domains that impersonate PSTS organizations, resulting in a 42% higher prevalence of Impersonating Domain alerts compared to the all-sector average. To mitigate these risks, organizations should implement security strategies to promptly detect and take down impersonating domains, leveraging tools like GreyMatter DRP to detect phishing websites mimicking an organization’s domains.
Ransomware Activity Targeting Sector
Ransomware attacks on the PSTS sector have surged, with a 34% increase in organizations targeted, making it the second-most affected sector after manufacturing. The high value of sensitive data and the perceived likelihood of ransom payments make PSTS organizations attractive targets for ransomware groups. Notably, groups like “Akira,” “Black Basta,” and “Ransomhub” have gained prominence, strategically targeting the sector. Despite a decline in activity from the previously dominant “LockBit” group, the overall threat landscape remains severe, necessitating robust preventive measures such as phishing training and data encryption.
Key Threat: Cyber Espionage
Nation-state–associated cyber espionage poses a significant risk to the PSTS sector due to its role in scientific and technological development and access to sensitive government information. Groups from China, Iran, and Russia frequently target PSTS organizations to steal intellectual property and politically sensitive data, using advanced techniques to establish long-term network persistence. China’s “APT41” group, driven by initiatives like “Made in China 2025,” is particularly prominent in targeting Western companies. To defend against these sophisticated attacks, organizations must prioritize rapid threat detection and containment, as well as patching vulnerabilities and enforcing strict security measures.
Cyber Threat Forecast for PSTS Sector
The PSTS sector is expected to see an increase in supply chain attacks, with organizations being prime targets due to their upstream position in supply chains and reliance on remote workforces. Nation-state groups from Iran, China, and Russia will likely intensify their targeting to steal data on dual-use technologies and scientific research, exploiting phishing, drive-by compromise, and vulnerability exploitation. The rise in temporary contract hires further expands the attack surface, as these workers often use personal devices prone to infection. To mitigate these risks, organizations should focus on patching vulnerabilities, employee training, enforcing strict off-boarding procedures, and limiting access for temporary workers.
Conclusion
The PSTS sector is heavily targeted by ransomware and cyber espionage groups that use techniques like exploiting public-facing applications and abusing remote services. ReliaQuest predicts these attacks will escalate due to the sector’s reliance on remote work and its large quantities of sensitive data. These advanced methods necessitate behavioral analysis detections, as threat actors are often adept at evading defenses. By detecting malicious activity across a range of endpoints and providing Hunt packages for proactive threat hunting, the ReliaQuest GreyMatter security operations platform can identify threats associated with malware, vulnerability exploitation, and external remote services abuse. Deploying ARPs through GreyMatter allows customers to automate response measures, ensuring immediate containment of attacks upon detection.
GreyMatter Detect identifies malicious activity through application programming interface (API) integrations, enabling organizations with complex IT infrastructures, such as those in the PSTS sector, to view actionable alerts within a centralized interface. This streamlines analysis and response actions, significantly reducing an organization’s MTTC. Additionally, GreyMatter’s AI and automation capabilities enable customers to reduce their MTTC to as little as five minutes, effectively preventing threat actors from advancing through the kill chain.