-By Fabio Fratucello
Before 2011, the industry approach was to defend the perimeter and prevent malware from executing, but that philosophy struggled to handle the sheer volume and complexity of attacks. The security solutions offered at the time could not cope with silent failures or malware-free attacks. Starting up a computer and waiting for the antivirus to start was an ugly experience.
Back then, a security threat meant malware and beyond that there was no looking. But security goes beyond malware. Behind every attack are human opponents who keep developing and refining their tactics, techniques and procedures (TTPs). Companies that try to focus on and fix yesterday’s malware problem will quickly fall behind the adversaries’ constant innovation.
Being cloud native, we’ve been able to scale security like never before, using telemetry to understand the adversary in ways never seen before, while the rise of artificial intelligence and machine learning was critical to further automating security solutions .
These adversaries are people, and by examining these attackers and their operations, we can learn a lot about their skills and intentions so that we can let our customers know what data and assets they are targeting, and most importantly, how they do the things they do need to be able to best defend protection from these stubborn and dedicated opponents. Cybersecurity has shifted towards understanding and exposing the adversary at the root of the problem rather than preventing it from the surface.
Pandas, spiders and bears
In order to better represent the people behind the cyber attacks, we follow a cryptonym system for categorizing opponents. Some opponents are directly linked to nation-state actors, some to eCrime groups and others to hacktivists. For example, eCrime groups are classified as “SPIDERS”. This makes it easier for the general public to understand adversaries and the related actors responsible for attacks.
Opponents are shifting from consumers to businesses
Over the past decade, we’ve seen adversaries shift their approach to ransomware from spray-and-bet techniques to more sophisticated, more targeted tactics with higher payouts. What was once a few hundred dollars per consumer problem has now become a multi-million dollar problem for businesses. We saw well-known companies face significant attacks as eCrime groups got more ambitious. They used new tools and techniques, grew in size and complexity; and developed completely different monetization schemes that focus on ransomware.
Ransomware actors refined their approach, spending weeks and sometimes months preparing an attacked environment to cause as much damage as possible in order to demand large ransom payments. We have observed “Big Game Hunting” techniques aimed at large organizations for maximum profit as opposed to traditional spray and prayer techniques.
Today, threat groups act like legitimate companies adopting new monetization schemes and ways to increase their returns. They developed a Ransomware-as-a-Service (RaaS) business model in which they provide ransomware toolkits to third party threat actors to lower the ransom. In addition, eCrime actors began to use double blackmail techniques and demanded additional fees in addition to a ransom with the threat of either making the data publicly available or selling it to the highest bidder.
Nation-state threat actors are redirecting their focus
There was also a shift in the enemy landscape as nation-state actors gained in importance. Our intelligence and OverWatch teams have observed massive operations by nation-state actors over the past 10 years, meddling with defense organizations and foreign governments, and putting cyber espionage in the spotlight.
Prior to 2009-2011, APTs tended to focus on governments. However, within that period, we began to see a shift as nation-state opponents began targeting companies. This came as a shock to the industry as no one had really seen companies being targeted until then. More recently, nation-state actors have begun adapting their models to mimic eCrime groups and disguise their activities.
A look into the future
As the threat landscape continues to evolve, there is still a need for a better understanding of the importance of cybersecurity at the board and security decision maker level. By providing information about the adversary and how it works, we facilitate this change.
Automation will continue to play a major role in the future of security. It’s about the advancement of machine learning models that are used to predict, protect and prevent security threats. But it will also be about how this technology is combined with human threat hunting and intelligence to provide the most robust security posture.
(Author – Fabio Fratucello, Chief Technology Officer, Asia Pacific and Japan, CrowdStrike)
If you have an interesting article / experience / case study to share, please contact us at [email protected]