-By Fabio Fratucello
Prior to 2011, the industry approach was about defending the perimeter and preventing malware execution but this philosophy struggled to address the sheer volume and complexity of attacks. The security solutions being offered at the time could not cope with silent failure nor malware-free attacks. Booting up a computer and waiting for the anti-virus to start was an ugly experience.
Back then, a security threat meant malware and there wasn’t a view beyond that. But security goes beyond malware. Behind every attack are human adversaries who will continue to iterate and evolve their tactics, techniques and procedures (TTPs). Companies that try to focus on and fix yesterday’s malware problem will quickly fall behind to constant innovation of the adversaries behind it.
Being cloud-native, we were able to scale security like never before using telemetry data to understand the adversary in a way never previously experienced, while the rise of artificial intelligence and machine learning was instrumental in further automation to security solutions.
These adversaries are humans, and by studying these attackers and their operations, we can learn much about their capabilities and intentions so that we may inform our customers what data and assets they are targeting and, most importantly, how to best defend the things they must protect against these persistent and dedicated adversaries. Cybersecurity has shifted toward understanding and exposing the adversary at the root of the problem rather than prevention at a surface level.
Pandas, Spiders and Bears
To better represent the humans behind the cyber-attacks, we follow a cryptonym system for adversary categorization. Some adversaries are tied directly to nation-state actors, some to eCrime groups and others to hacktivists. For example, eCrime groups are classified as “SPIDERS.” This makes it easier for the general public to understand adversaries and the associated actors who are responsible for attacks.
Adversaries shifting from consumer to corporates
Over the last decade, we noticed adversaries changing their ransomware approach from spray-and-pray techniques to more refined, targeted tactics with higher payouts. What was once a problem of a few hundred dollars per consumer has now become a multi-million dollar problem for corporations. We saw well-known companies suffer significant attacks as eCrime groups became more ambitious. They used new tools and techniques, grew in volume and complexity; and came up with totally different monetisation schemes focusing around ransomware.
Ransomware actors became more refined in their approach, spending weeks and sometimes months at a time preparing a breached environment to cause as much damage as possible in order to demand high ransoms. We’ve observed ‘Big Game Hunting’ techniques targeting large organisations for maximum profit as opposed to traditional spray and pray techniques.
Today, threat groups operate like legitimate businesses introducing new monetisation schemes and ways to increase their returns. They developed a Ransomware-as-a-Service (RaaS) business model, in which they provide ransomware toolkits to third party threat actors in return for a cut of the ransom. Also, eCrime actors began to employ double extortion techniques, demanding additional fees on top of a ransom with the threat of either releasing the data publicly or selling it to the highest bidder.
Nation-state threat actors reset their sights
There’s also been a shift in the adversary landscape as nation-state actors became more prominent. Our Intelligence and OverWatch teams have observed massive operations from nation-state actors interfering with defence organisations and foreign governments thrusting cyberespionage into the spotlight over the last 10 years.
Before 2009-2011, APTs typically focused on targeting governments. However, within that time period we began to see a shift as nation-state adversaries began to target corporations. This came as a shock to the industry, as nobody had really seen companies being targeted until then. More recently, nation state actors have started to adapt their models to mimic eCrime groups, disguising their activities.
A view to the future
As the threat landscape continues to evolve, a greater understanding of the importance of cybersecurity is still needed at that board and security decision maker level. By providing intelligence around the adversary and how they operate, we’re facilitating this shift.
Automation will continue to play a big role in the future of security. It will be about further advancement in machine learning models being used to predict, protect and prevent security threats. But it will also be about how this technology combines with human threat hunting and intelligence to provide the most robust security posture.
(Author- Fabio Fratucello, Chief Technology Officer, Asia Pacific and Japan, CrowdStrike)