Geopolitical and criminal aspects of the cyber threat landscape

Crowdstrike’s Global Threat Report 2020 surveyed the cyber threat landscape for the year, with a particular focus on geopolitical concerns and how they relate to the cybersecurity environment.

According to the report, ransomware has remained the top threat, closely followed by banking trojans and malware downloaders, and e-crime escalated using new techniques, tactics and procedures. It highlighted the rise of big game hunting, with ransomware attacks now extorting large ransom sums from enterprises, rather than just being focused on stealing money from private individuals.

In 2019, the volume of malware-free attacks surpassed the volume of malware attacks globally. Unlike traditional attacks using malware, these types of attacks do not come from actual files being intentionally or unintentionally downloaded by the user.

We speak to the CTO of Crowdstrike, Mike Sentonas, on how they arrived at the findings, the changes from 2019, and the mechanics and consequence of these attacks on enterprises and governments in Southeast Asia.

What has changed in the 2020 report, as compared to 2019?

The biggest change that we’ve seen in the 2020 report, as compared to 2019, is the growth in e-crime – specifically using targeted ransomware. This year’s report also highlights the first time the global volume of malware-free attacks has exceeded malware attacks.

Going into 2019, CrowdStrike Intelligence anticipated that big game hunting (BGH) – targeted, criminally motivated, enterprise-scale ransomware attacks – was expected to continue at least at the 2018 pace. However, what was observed was not just a continuation, but an escalation.

The use of ransomware-as-a-service for BGH, where developers sell access to distributors (or customers) through a partnership program with a monetisation model that splits profit per infection between the developers and distributors, became increasingly apparent. The ransomware demands have also grown considerably. In the report, we’ve seen ransom demands that are in excess of US$5 million and a couple that are US$10 million or more.

Like everywhere else in the world, ransomware is an aggressively growing issue in the Asia-Pacific region, because it is such an effective way for financially motivated criminals to make money quickly. Sectors targeted in 2019 include governments, academic institutions, managed service providers in IT, healthcare, manufacturing, financial services and media.

We’ve observed that ransomware attacks are now very much targeted and go beyond the traditional delivery mechanisms of email phishing styled attacks. An example would be adversaries compromising a target, and then installing ransomware from within the organisation.

People tend to think of ransomware as a problem that starts with phishing, so this makes it a more difficult problem to solve. Measures to deal with the rise in ransomware and the complexities around it include good cyber hygiene, having AI and machine learning based prevention technology, and managed threat hunting, where organisations look for evidence of intended intrusion.

We also need to be careful regarding the possible perception that the number of nation-state attacks has declined. Rather, it’s just that the volume of e-crime has grown so aggressively.

How are malware-free attacks conducted and how vulnerable is Singapore / Asia to such attacks?

We’ve been tracking malware versus malware-free attacks. This year’s report significantly highlights that it’s the first time the global volume of malware-free attacks has exceeded malware attacks.

‘Malware-free’ is a type of attack where the threat actor does not install any executable file or software on the victim’s machine. The reason why these are so dangerous is that traditional and some next-generation security software can’t detect these styles of attacks.

In the US, for example, where there is a higher level of security maturity, malware-free techniques are extremely prevalent. Traditional malware is less effective, which is why the attackers have looked for ways to circumvent existing security controls.

To facilitate malware-free attacks, adversaries could enter the organisation in a variety of ways – using stolen credentials, an unsecured device connected to the internet or system misconfiguration etc. They can then ‘live off the land’ – deploying a network’s own tools against it to extend the attack.

If organisations continue to use basic user IDs and passwords for authentication, we anticipate that this trend will continue. To defend against password spraying, the use of strong account management – in conjunction with effective account lockout policies after a defined number of failed login attempts and the use of complex passwords – can assist in preventing passwords from being guessed. In addition, ensure that Remote Desktop Services are appropriately locked down and avoid leaving them exposed to the internet.

Managed hunting, which looks for the ‘live off the land’ techniques that these adversaries use, such as targeting memory-only threads and operating system or dual-use tools, Windows Management Instrumentation (WMI) or scripting, is critical for dealing with malware-free attacks.

In the Asia-Pacific and Latin American regions, where it can be suggested that the security controls are less mature, malware is still effective in allowing attackers to carry out their intended goals.

With that said, malware-free attacks will become a growing problem in the Asia-Pacific region over time, because adversaries are finding that these techniques can help them bypass and evade traditional – and even some next-generation – security controls.

What are the consequences of increased telecommunications targeting by China on Southeast Asia, and how is this relevant to the 5G conversation?

Based on the report findings, adversary activity originating in China was steady throughout 2019, with a prominent focus on the telecommunications sector. Other sectors within the 2019 target scope included healthcare and aviation entities, providing further evidence that these targeted intrusions are enabling corporate espionage of information vital to bolstering key industries domestically. Based on the report, China also continued to target the government and defence sectors of regional neighbours, with a concentrated focus on Southeast Asia late in the year.

The power of telecom data to espionage agencies was illustrated by the malware known as MESSAGETAP, which was reportedly used by a China-based group called WICKED PANDA to monitor short message service (SMS) traffic from telecom networks. MESSAGETAP can collect and store SMS data based on selection criteria, including phone numbers, international mobile subscriber identity (IMSI) numbers and keywords. The ability to collect data based on specific phone numbers and IMSI numbers indicates that the adversary predetermined which individuals to target for collection, possibly identifying phone numbers in previous reconnaissance or collection activities.

Telecom sector targeting – especially in the Central and Southeast Asia regions – would also complement China’s plan to develop a ‘Digital Silk Road’. This initiative aims to broaden and deepen digital connections to other nations via the construction of cross-border and submarine optical cables, communication trunks and satellite information passageways, and the development of 5G networks.

When we talk about 5G, there are therefore a couple of things to be aware of. One is understanding who is providing the equipment for the rollout and are there any risks that must be mitigated against during the rollout. The other piece is that 5G will no doubt bring a lot more connectivity, so you have more devices connecting and scope for a greater number of issues as a result.

Combating sophisticated, state-backed adversaries requires a mature process that can prevent, detect and respond to threats with speed and agility. We recommend that organisations pursue the “1-10-60 rule”. This would involve detecting intrusions in under one minute, investigating and understanding threats in under 10 minutes, and then containing and eliminating the adversary from the environment in under 60 minutes.

Organisations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads from its initial entry point, minimising impact and further escalation.

How does an enterprise prioritise how to protect and what to protect, given the asymmetric threat emanating from state-sponsored cyber-attacks? 

Regardless of the size or budget of an organisation, “breakout time” continues to be a critical measurement for organisations trying to stop a breach.

Breakout time is defined as the time between when an intruder gets into a machine – whether it’s through spear-phishing or another sort of strategic web compromise, and when they break out of the beachhead they have established and compromise other systems.

According to the report, the average breakout time for all observed intrusions rose from an average of 4 hours and 37 minutes in 2018 to 9 hours in 2019. This increase reflects the dramatic rise in observed eCrime attacks, which tend to have significantly longer breakout times as compared to nation-state adversaries. It is also important to note that defenders should still focus on speed, as data attributable to nation-state activities in 2019 does not suggest any major changes in breakout times among state-affiliated adversaries this year compared to last year.

Companies must therefore prioritise the allocation of resources that can help them respond within the breakout time window and work toward meeting the outcome-driven metrics of the 1-10-60 rule. This would involve detecting intrusions in under one minute, investigating and understanding threats in under 10 minutes, and then containing and eliminating the adversary from the environment in under 60 minutes. Doing so can mean the difference between an organisation stopping a breach early on or experiencing catastrophic data loss.

To know what to protect and how to protect, cybersecurity first needs to be part of an organisation’s core business process. Company leaders must prioritise knowing how to respond if the organisation gets hacked and a proven method for integrating security as a business process is to adopt a security framework.

There are then fundamental hygiene measures that the organisation should put in place to make things harder for attackers. This includes regularly backing up data that is essential to the business, patching computers to limit their inherent vulnerabilities, and implementing 2FA and strong passwords to mitigate the effects of credential theft. It’s also very important to educate employees on security best practices.

To meet the speed and precision metrics of the 1-10-60 rule, organisations can turn to next-generation security solutions that are cloud-native, since they are less complex to deploy and relatively cost-effective. Such tools would include endpoint detection and response (EDR), managed threat hunting, and anti-virus with behavioural analytics and machine learning. Such tools provide deep visibility and automated analysis, thereby helping organisations reduce friction, understand emerging threats and take fast, decisive action.

Given that not all organisations are equipped with a dedicated in-house team of security professionals to implement mature processes against sophisticated threats, an option for companies is to look outward to turnkey solutions for advanced endpoint protection – which can be more easily deployed and integrated into current business processes – or managed security service providers for help, thereby filling critical talent gaps in a more cost-effective manner.

How did CrowdStrike credibly arrive at the findings of the report?

Through this report, the CrowdStrike Intelligence team, the Falcon OverWatch managed threat hunting team and the CrowdStrike Services team present analysis that highlights the most significant cyber threat events and trends in the past year.

The findings in the 2020 Global Threat Report were compiled using the following resources:

  • CrowdStrike’s global team of intelligence professionals tracking 131 adversaries of all types, including nation-state, eCrime and hacktivist actors. The team analyses Tactics, Techniques and Procedures (TTPs) to deliver in-depth, government-grade intelligence that enables effective countermeasures against emerging threats.
  • The CrowdStrike Falcon OverWatch team’s proactive threat hunting in 2019, which identified and helped stop more than 35,000 breach attempts. The OverWatch team works to identify hidden threat activity in customers’ environments, triaging, investigating and remediating incidents in real-time.
  • The CrowdStrike Services team’s insights from its most recent publication, the “CrowdStrike Services Cyber Front Lines Report,” which analyses trends the team observed during its many incident response (IR) investigations in 2019.
  • Processing, correlating and analysing petabytes of real-time and historical data collected from more than 2.5 trillion events per week across 176 countries.

This analysis demonstrates how threat intelligence and proactive hunting can provide a deeper understanding of the motives, objectives and activities of threat actors, thereby empowering swift proactive countermeasures to better defend organisations’ valuable data now and in the future.