Cybercriminals continue to wreak havoc to businesses. Advancements in tech has allowed for more sophisticated attacks, pushing cybersecurity service providers to try to come up with more nuanced methods of protection. Globally, the threat landscape is constantly evolving.
With cybercrime predicted to capitalize up to US$ 6 trillion in business losses by 2021, businesses are proactively adopting new best practices in security and incident responses to curb the fast-moving advanced threats. Today, modern attack methods are coordinated, efficient and agile. It is a prerogative for businesses to understand both the threat they are facing as well as be prepared to respond to such breaches.
Shawn Henry, President of CrowdStrike Services, leads a world-class team of cybersecurity professionals who investigate and mitigate targeted attacks on computer networks. Under his leadership, CrowdStrike engages in significant proactive and incident response operations across every major commercial sector and critical infrastructure, protecting organisations’ and governments’ sensitive data and networks.
A former FBI Executive Assistant Director, Shawn was previously responsible for all FBI criminal cyber investigations worldwide, as well as FBI International Operations and Critical Incident Response. He has overseen hundreds of major cyber investigations spanning the globe from denial-of-service attacks, major bank and corporate breaches, to nation-state sponsored.
CyberSecurity Asean spoke to Shawn about the state of the threat landscape in the Asia Pacific and discussed efficient ways organisations can defend themselves against increasingly sophisticated and highly targeted modern attacks.
According to Shawn, in comparison to that of its global counterparts, Asia Pacific’s cybersecurity landscape remains an underserved market, especially within emerging economies. Due to its rising prominence in the global economy, there has been an increase in high profile cybersecurity incidences involving critical infrastructure and financial institutions, placing the region’s sustained prosperity at risk. In fact, an AT Kearney study identified Southeast Asia as a prime target for cyber-attackers, a trend that is likely to continue and unwittingly spurred by the region’s ongoing digitalisation drive.
“Based on our experience, speed is of the essence for any organisation dealing with a breach, an aspect that challenges many businesses in the Asia Pacific. On average, it takes an intruder one hour and 58 minutes to begin penetrating deeper into an organisation’s network from a compromised machine. This small window of time is critical for an organisation to detect and respond to the intruder, which is why the ability to react swiftly is such an important factor in containing the intruder and stopping a breach.”
Shawn added that the situation is fast changing; cybersecurity efforts are being elevated to the top of national agendas and as a result there is a widespread enactment of regulation aimed at enhancing cyber resiliency. CrowdStrike is witnessing explosive demand for their endpoint solutions across Australian and Asia-Pacific markets and is expecting the momentum to continue as firms seek to shore up their cyber defences in a digital-first economy.
Nation-state actors a real concern for ASEAN & APAC organisations
Recent findings from CrowdStrike’s Global Threat report have shown that nation-state adversaries have been active throughout 2018, targeting foreign powers, dissidents, and regional adversaries to collect intelligence for decision-makers. North Korea, for instance, was found to have been active in intelligence collection and currency generation schemes. CrowdStrike was also able to track Vietnam-based adversary OCEAN BUFFALO, which though appearing to focus on domestic operations, possibly including internal law enforcement, has the probability of targeting Cambodia as well as activity against manufacturing and hospitality sectors.
Shawn explained that with China and North Korea aiming for geopolitical prominence on a regional and international scale, CrowdStrike expects that targeted intrusion adversaries will continue to conduct campaigns as part of their nation-state’s national strategies, to get hold of information from neighbouring and rival states. Targets of nation-state intrusion attacks include organisations in government, defence, think tank and non-government organisations (NGO) sectors—with nation-state adversaries targeting vulnerabilities in telecommunications and technology organisations, especially managed service providers.
Keeping pace with a threat landscape that is continuously growing
Companies continue to get breached despite having legacy antivirus solutions and layered security products. In fact, most organisations that have experienced a breach in the past ten years had two things in common: a firewall, and antivirus software.
Today’s cybersecurity threats are greater than ever, and most business leaders have accepted the fact that breaches are an inevitable cost of doing business. At the same time, there is no slowdown in attacker innovation and the brazenness of threat actors, all targeting the endpoint as the first line of attack.
“In recent years, customers have realised that the singular point product approach is ineffective in stopping major breaches. You need much more than just a firewall and traditional antivirus to stop the stealthy adversary. All companies that have been breached in recent years have had some sort of firewall and AV. A modern, comprehensive platform solution is necessary to effectively combat cyber threats. Cybersecurity is all about speed.”
“While there is no one silver bullet that truly stops all cyberattacks, we believe strong prevention technology, bolstered by the ability to detect and respond to threats in minutes in cases when the adversary finds a way in, while also monitoring proactively 24/7, is the foundation of modern-day cyber defence. You can only accomplish this by leveraging cloud-native endpoint protection and capacity-building features such as AI, behavioural analytics, and threat hunting. “
Defending against increasingly sophisticated and highly targeted modern attacks.
Shawn pointed out that there needs to be a paradigm shift in how companies react to cyberattacks; now more than ever, they need to be more proactive in reviewing indicators of adversary activity within their network environment. Bolstering an enterprise’s ability to gain greater network visibility through endpoint monitoring is crucial in detecting sophisticated and highly targeted modern attacks from the onset. Detecting adversary activity on the endpoint offers better insight into adversary tactics and enhances network owners’ capability to identify indicators of attacks and better ascertain the actual occurrence of a breach.
He added that companies likewise need to conduct thorough cyber due diligence on technology, processes and people—encompassing an organisation’s cybersecurity awareness, processes and defences over its information systems, products and services. After all, adversaries are always after digital assets stored on networks—ranging from intellectual property, corporate strategies and customer data. With desktops, laptops, smartphones, servers and routers, possibly serving as a potential entry point for hackers, there can potentially be hundreds of thousands of endpoints in a single organisation.
With breakout time measured in hours, CrowdStrike recommends pursuing the “1-10-60 rule” to actively combat sophisticated cyber threats:
Detecting intrusions in under 1 minute
Performing a full investigation in under 10 minutes
Eradicating the adversary from the environment in under 60 minutes
Meeting the 1-10-60 benchmark leads to a high likelihood of eradicating the adversary before the attack spreads out from the initial entry point, minimising impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools, reducing friction and enabling responses to understand threats and take fast, decisive action.
“This is precisely why it is no longer sufficient to rely on legacy antivirus technology and traditional cybersecurity approaches, which are too slow and ineffective to stop cyberattacks in time. A sophisticated blend of AI and behavioural analytics, offering the capability to deliver real-time investigations in automating and prioritising threat analysis and response is now the way to go.”
Are cybercriminals getting caught and prosecuted for their crimes?
According to Shawn, the last year has seen positive advances in international cooperation and steps towards making adversaries more accountable, including imposing sanctions and issuing an indictment for cybercriminals. Data from the United Nations indicate that most economies in the Asia Pacific have adopted cybersecurity strategies backed by the requisite legal and operational frameworks and have also established dedicated agencies to oversee critical infrastructure protection and where necessary, response to cyber incidences.
However, he added that “more work still needs to be done in this area in light of how eCrime and nation-state adversaries have been demonstrating newfound flexibility, developing and breaking alliances, and shifting tactics mid-campaign, alongside a rapidly evolving underground economy.”
“A notable trend we’ve seen recently is the continued rise of ransomware operations targeting large organisations given a new focus on low-volume, high return criminal activity - coined as “Big Game Hunting”. Often, these sophisticated campaigns include well-tested reconnaissance, delivery and lateral-movement Tactics, Techniques and Procedures. We have observed that big game hunters use Advanced Persistent Threat tactics and have a targeted deployment methodology involving credential compromise, lateral movement, and the use of system administrator tools, which closely mimic the behaviour observed from nation-state adversary groups, and penetration testing teams.”
It is encouraging to realise that with appropriate investment in cybersecurity protection beyond a traditional antivirus and firewall system, utilising AI and behavioural analytics for detection, investigation, and remediation of malicious breaches, corporations can be well prepared to take on oncoming cyber attacks. Additionally, organisations can rest assured that along with their own efforts in dealing with the ever-evolving global threat landscape, there are also efforts on the front of holding those accountable for inflicting major losses in businesses by synergistic cooperation of several dedicated agencies worldwide.