Cyber Security – understanding the threats
Zeki Turedi, Technology Strategist, CrowdStrike takes a look at the most prevalent cybersecurity issues, highlighting threats, appropriate responses and prevention.
The UK is currently on the front line for cyber attacks. The amount of intellectual property and personal data we hold are a key target for threat actors, and recently we’ve seen a huge uptick in cyber attacks across a multitude of business sectors. Within our current tumultuous political climate, this comes as no surprise.
The propagation of advanced exploits and easy use and accessibility of malicious tools, has lead to the blurring of tactics between statecraft and tradecraft, revolutionising the threat landscape. As threats modernise and revolutionise, so too must our tactics to defend against them, as it is evident that traditional approaches to security are failing. Look no further than the regular news articles reporting on everyday brands we use every day, being targeted and leaving hundreds of thousands of the public’s data being stolen..
Today’s adversaries are persistent in their mission to target and infiltrate UK businesses – predominantly the technology sector – with a 36 per cent increase in attacks over the past six months. Organisations can no longer rely on reactive approaches to stay protected. Instead, they need to start with an assumption that someone might have already breached their perimeter and instigate a work back plan that outlines the necessary steps to remediate and prevent such attacks crippling UK services again.
Recent research from CrowdStrike’s OverWatch threat analysts provides key insights into attacker tactics, techniques and procedures (TTPs). The study shows that the technology, professional services and hospitality sectors were most targeted by cyber adversaries, with actors using a torrent of novel tactics and demonstrating particular creativity and perseverance in defence-evasion and credential-access TTPs. We’ve used this data to assess the current cyber climate, showing which actors are on the rise and what tactics organisations can leverage to defend themselves.
Keeping track of current cyber trends
Recently, the National Cyber Security Centre revealed that whilst tackling a weekly barrage of cyberattacks, it has been able to trace a number of these back to hostile nation-state actors. We know that the threat of nation-backed cyber espionage is a real and pressing one, with 48 percent of intrusion cases being performed by adversaries operating within a certain nation-state nexus. The reality of such attacks is that they are quick and potentially destructive, and our economy simply isn’t prepared to handle them.
However governments around the world are fighting back. Once reluctant to point fingers after a cyberattack, a number of states have issued a string of indictments in recent months relating to several high-profile breaches and attributing large-scale attacks to their hackers. For example, the US charged a number of Russian military officers last month for allegedly hacking into a select group of sports-related organisations. The indictment followed statements made by the British and Dutch governments backing the US and accusing Russia’s military intelligence agency of targeting a range of political and media organisations with cyberattacks. Even more recently, we’ve seen the US charge ten Chinese spies for hacking into aviation firms in the UK, US, France and Australia using “phishing” techniques to steal trade secrets and confidential data.
Chinese adversaries on the rise
The tenacity of the adversaries in question is also concerning. Our analysis, which compared thousands of cyberattacks over the first half of this year, highlighted a significant uptick from Chinese threat adversaries. It shows that China is actively engaging in targeted and persistent intrusion attempts against multiple sectors of the economy, including biotech, defence, mining, pharmaceutical, professional services, transportation, and more.
Currently, the Ministry of State Security (MSS) is the primary government agency engaged in the majority of cyber attacks within Chinese-government nexus, and our threat team has observed multiple intrusions demonstrating sophisticated tradecraft of this nature.
China is now, once again, the most prolific nation-state actor conducting industrial espionage via cyber and non-cyber means. Chinese threat actors pose a long-term and strategic threat, not only to the UK, but to the global economy. These specific threats need to be addressed by every enterprise who may become either a victim or a vector to target further victims in the ecosystem.
Emerging best practices
Understanding the threat landscape on a global scale is a valuable resource for all organisations when it comes to fighting cyber threats. From a more strategic perspective, it helps security teams learn and develop scope to create new hunting and detection methodologies which in turn increase investigation efficiency against persistent cyber adversaries.
One of the key metrics that OverWatch tracks for all intrusions it identifies is “breakout time” – the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. The current average for this is one hour and 58 minutes. This simple piece of information in turn becomes a valuable metric for any security team responding to incidents. Simply, organisations should strive to detect, investigate and remediate the intrusion within two hours, they can stop the adversary before they can cause serious damage and an incident becomes a breach!
Emerging best practice advises that when an attack is in progress an organisation should aim for one minute to detect it, ten minutes to understand it, and one hour to contain it. The reality is that within today’s threat landscape, cyber attacks are not a question of if, but when hackers will bypass traditional security means and gain access to the network.
From the technology side, regardless of how advanced the defence is, there’s a chance that attackers will slip through to gain access. Conventional defenses don’t know and can’t see when this happens, resulting in silent failure. When this occurs, it can allow attackers to dwell for even months without raising an alarm. The solution lies in continuous and comprehensive visibility into what is happening on your endpoints in real time with a Endpoint Detection and Response (EDR), following an approach recommended by analysts including Gartner.
Likewise AI helps bring down the time taken to find suspicious behaviours, and allows enterprises without a dedicated threat hunting team the ability to continuously examine the environment for signs of compromise. Take into consideration the 1-10-60 metric, only by harnessing modern technologies and techniques can we make sure our Incident Response teams are able to quickly react, validate and have operational high efficacy by utilising Artificial Intelligence and Machine Learning.
One more key technology that enables better security practices is the cloud. By crowdsourcing intelligence based on events gathered from a large array of security sensors worldwide a crowdsourced threat graph of live and new attacks helps an AI-enabled platform keep ahead of threats and help protect critical data on day one of the threat.
The future for cyber security
Although larger organisations typically have greater resources allocated for security, such as bigger budgets and more manpower, they certainly aren’t immune to breaches. Next-generation solutions must include behavioural analytics and machine learning capabilities that can detect both known and unknown threats. These make for a vital tool that can give security teams the visibility they need to detect and eject an adversary before breakout occurs.
AI capabilities are also becoming more powerful and increasingly widespread. If properly managed and leveraged, AI can be a real amplifier for cyber teams. With AI, you can analyse security related data, including file “features” and behavioural indicators over a massive data set. AI-based defence is not a panacea, and to cope with the volume and variety of threats organisations must understand their network and assets, and be able to automate their response and detection capabilities for all kinds of threats.
As criminals and adversaries change strategy, so must we. There is a vast amount of innovation and momentum within the cybersecurity space, and more and more products are coming to market to help protect organisations from these pressing and concerning threats. All that is left is for businesses across the world to accept these and adopt them into their infrastructure. The time to act is now, not tomorrow.
If you would like to join our community and read more articles like this then please click here.