A Q&A with Mike Sentonas, CrowdStrike’s VP of technology strategy

null

Let’s kick-off with a broader question. How is the cybersecurity landscape changing? What new developments are we seeing?    

Cybersecurity threats are continually evolving with growing sophistication aided by the relatively cheap and easy availability of advanced tools. Anyone with malicious intent and a few dollars can purchase “weapons grade” hacking tools – including those developed by nation states and their agencies. Tools like Fuzzbunch, developed by the NSA, are now freely available on the dark web, with instructions and “how to” appearing on Russian language (and other) blogs.

As a result, we are seeing a big increase in sophisticated attacks, perpetrated not only by opportunistic hackers working alone, but also by organised criminal gangs, activist collectives and, of course, nation states themselves.\

These groups are leveraging cutting-edge exploits, living off the land techniques (which use tools already installed on target devices, such as PowerShell), and “file-less” attacks which are much harder to spot with traditional security tools. They are also using anti-forensics tools and methods to increase dwell time. 

It’s become apparent with the increased number of public cyber-attacks which are capable of taking down vital infrastructure, such as the NHS, that they’re becoming a lot more sophisticated, and at the same time, easier to execute. Why is this happening? What are cybersecurity firms doing to ensure they’re keeping up with cybercriminals? 

The dark web is a massive black market where anyone can shop around for all manner of sophisticated tools, get advice or join up with like-minded individuals or groups to perpetrate attacks. What’s more, every successful attack such as CryptoLocker or WannaCry encourages other criminals or activist groups to copy them. 

The security community has always said the same thing: that no organisation can guarantee that they will prevent 100% of sophisticated and determined attacks. However, there are many new technologies and approaches that can drive a substantial advantage back to the defender.   

For example, we see the cloud as a game-changer that enables us to create more adaptive, scalable and automated defences against today’s threats. Developments in AI and machine learning can lead to much more effective defence, deterrence and diagnostic capabilities in the near future. 

But there’s also much more that cybersecurity firms and end users can do to collaborate against today’s threats. These efforts should be focused on enabling businesses to know exactly what’s going on in their environment and adapting their capabilities to detect all attacks, including even those that don't involve any malware. To this day, many enterprises lack the awareness and the capability to proactively hunt and detect hackers on their networks. 

This is why I believe investing in the latest technologies to keep pace with adversaries is not optional anymore; in fact, it’s key to staying in business. More and more organisations are recognising that stopping malware is not enough to protect the organisation. I often ask executives “Are you interested in stopping malware or stopping the breach?” In most cases, the answer is the latter. With that, we are seeing a more holistic attempt to detect and prevent threats, regardless of their origin. 

Staying with the theme of public cyber-attacks. There have been numerous over the past few years, including Sony, Ashley Madison, TalkTalk, among many others. However, we recently saw a huge attack on a vital piece of infrastructure in the UK, the NHS. And previously, we saw the attack on the Ukrainian power plant in December, 2015. Why are we seeing cybercriminals start to target infrastructure? What are their motives? What are they hoping to gain from this? 

Infrastructure targeting has been around for decades dating back to the Cold War. But it’s true that critical national infrastructure is becoming an increasingly tempting target for all manner of malicious actor. 

There are three main motivations for attacking infrastructure: disruption, financial gain, and espionage, and these motives can apply to all kinds of attackers, from nation states to individuals. In the past year or two, we’ve seen Russia attack Ukraine’s electricity grid, the attacks on the NHS, Stuxnet (originally developed to target Iran’s nuclear weapons programme), and the targeting of the US and UK energy sectors. 

At the moment, most infrastructure attacks seem to have been perpetrated by nation states, but it is easy to see how other actors could attack the same targets. Hacktivist and terrorist organisations have been attacking companies for years, as have criminal groups. If these groups believe they have something to gain from holding critical infrastructure to ransom, stealing sensitive data or doxing employees, they will. 

For nation states and terrorists, the motivation for targeting infrastructure is the huge potential for disruption that it will cause. There is also an element of prestige and publicity that a successful attack will bring. But infrastructure is only one target among many, and nations must redouble their efforts to protect themselves from economic and security espionage. China is by far the most active in these areas, but we also have been engaged in long-term tracking of North Korea, which primarily focuses on espionage against South Korea, its financial sectors, and U.S. military installations on the Korean peninsula. 

Going into more detail regarding the sophistication of malware, we’re seeing an increase in ransomware attacks. We recently saw the emergence of the Locky ‘rotating ransomware’, a ransomware variant which allows its deployers to continue to modify the virus to avoid/prolong being cracked. What other new types of malware/ransomware are we seeing? What should we be worried about?   

Ransomware is constantly evolving, and one of the most worrying recent trends is how new variants are mutating to bypass traditional antivirus countermeasures. The Locky ransomware provides a great example. In September a variant known as “Herbalife” launched 20 million attacks in just one day, with many of the attacks apparently originating from Vietnam, India, Colombia, Turkey and Greece – none of which are traditionally seen as malware hotbeds. 

As ransomware continue to evolve, so must prevention tactics. By introducing solutions that use machine learning capabilities to look at behavioural-based Indicators of Attack (IoAs), businesses can block attacks before they execute in the system. Once ransomware enters undetected, data is immediately encrypted and inaccessible, or systems are locked down. As critical infrastructure becomes a target, that means increasingly, prevention is the only recourse. 

While there is no silver bullet to prevent ransomware, there are steps organisations can take to secure information and infrastructure. Defences such as blocking known threats, patching vulnerabilities and detecting and preventing signs of intrusions are all critical first steps. 

If these attacks are indeed becoming increasingly sophisticated, will traditional AV suffice to protect both consumers and businesses from incoming attacks? Or are we seeing the demise of traditional AV? What do businesses and consumers need to be doing to adequately prepare and mitigate these attacks? 

These attackers are well aware of traditional AV’s vulnerabilities, and they are specifically designed to evade signature-based AV systems. This year’s WannaCry and NotPetya attacks show that traditional AV is simply no longer fit for purpose. Many of the large organisations that were taken down were using these legacy technologies and were not protected against this new type of threat. 

While antivirus (AV) software should be a part of any organisation’s security estate, it’s not enough on its own – and can even lull a business into a false sense of security. Traditional AV software can only identify known virus families, and is therefore much less effective at spotting new strains or families of malware – such as zero-day exploits. 

Organisations must ensure that they invest in technology that can detect malware by attributes other than their unique “fingerprint”, and stop threats from propagating once they have pierced corporate defences. 

For example, businesses should use software that can identify threats based on how they behave – such as sending large volumes of email or trying to access or alter files – rather than relying on spotting the signature of a known virus. 

Another key attribute of an up-to-date security estate is the ability to monitor indicators of attack (IoA), such as code execution or suspicious process, which can indicate the behaviour of an attack before it’s even occurred and even before the vendor or the wider security community has recognised it as a zero-day. 

As a company, you’ve been involved in some significant threat intelligence projects. Can you talk to me about some of the trends we’re seeing among nation-states? It was recently reported that North Korea was allegedly responsible for the WannaCry attack. Is North Korea an imminent threat?

North Korea is one of the adversaries that continues to cause concern. They have advanced cyber warfare capabilities from a tradecraft perspective and have been known to leverage them in response to world events. Additionally, DPRK has been actively building independent industries in response to sanctions which may lead them to conduct economic espionage in Western countries. 

Nowadays, it’s clear that it’s not a matter of ‘if’ you’re going to be breached, but when. What can organisations and consumers be doing to make sure they’re as prepared to deal with a cyber-attack as they possibly can be?   

Today, it’s clear that organisations can’t prevent 100% of breach attempts. This is why businesses should focus on knowing exactly what’s going on in their environment and adapting their capabilities to detect all attacks, including even those that don't involve any malware. To this day, many enterprises lack the awareness and the capability to proactively hunt and detect hackers on their networks. This is why I believe investing in the latest technologies to keep pace with adversaries is not optional any more, it’s key to staying in business.

Instead of waiting for an attack to happen, businesses should always assume that they have already been compromised, and look to follow out a full investigation. We recommend taking the following steps to prevent the most devastating effects of these attacks: 

  • Focus on credential management and require both two-factor authentication (2FA) at time of logon and re-authentication at regular intervals such as every four or 12 hours.  
  • Fight spear phishing campaigns, which target all organisations, using technology such as email and URL filtering, in addition to training employees to spot and report malicious emails.  
  • Ensure that C-level executives continually review, modify and re-approve contracts with third-party IT vendors and ensure that those contracts provision for immediate breach notice to the organisation and implementation of sufficient security controls on the network. 

But ultimately, being able to assess any intrusion and contain it immediately is the only way to future-proof a business. A combination of intelligence and trained personnel is critical to ensure that no matter where the bad guys move, or whatever new tactics they deploy, their movements can be monitored and the business is prepared to act.  

Mike Sentonas, Vice President, Technology Strategy at CrowdStrike 

Image Credit: Wright Studio / Shutterstock