Life beyond malware

(Image credit: Photo Credit: andriano.cz/Shutterstock)

The traditional cyber security model is an outdated one, focused on building up the perimeter defences of an organisation like some sort of medieval fortress, in an effort to mitigate the threat of incoming malware. However, it is an uncomfortable fact for many that the multi-million-dollar cyber security industry was founded on and continues to embrace an outdated and limiting model.

The problem is that while the majority of cyber security solutions focus on stopping malware, the security landscape has continued to evolve, rendering that perspective increasingly dated. In fact, our research found that 40 per cent of all detections in 2018 were fileless - indicating malicious software that typically goes undetected by traditional antivirus. This data goes against traditional cyber security “wisdom” and makes many of the current cyber security industry solutions a lot less effective, if not obsolete.

We’re still seeing multiple types of attack, but malware-based represents only a small proportion of them. This trend does not mean that the threat of malware has entirely gone away. It remains a powerful tool in the cybercriminals’ armoury, but it is now just one of many. If you are concentrating all your efforts on stopping malware, you are in danger of missing a wide range of other TTP’s (tools, tactics and procedures) that are likely targeting an organisation.

In today’s landscape, it’s imperative that organisations focus on stopping the incidents that lead to breaches, as well as stopping malware.

One notable trend that we’ve monitored over the past couple of years has been a dramatic rise in eCrime ransomware attacks aimed at large enterprises. These attackers are taking advantage of RaaS (ransomware-as-a-service) operations run by prominent eCrime groups such as PINCHY SPIDER.

Modern cybercriminals are able to purchase advanced ransomware tools from established adversary groups instead of developing them. They then use sophisticated social engineering and phishing schemes to gain entry into the largest enterprise targets, where they deploy ransomware - demanding huge payoffs. These low-effort/high-return operations are known as “big game hunting”.

Once inside the network eCrime operators elevate privileges and steal credentials in order to move laterally. Indeed, the fastest and most damaging attacks continue to be those where attackers masquerade as legitimate users via credential theft.

This often occurs when user credentials are uncontrolled, misconfigured, or bypassed. Once access is gained, the organisation is left completely exposed and the actor gains a foothold, allowing them to move around the environment to achieve their objectives.

Breakout time: A critical metric

Typically threat actors get in fast and “breakout” quickly. Nation-state attackers are particularly persistent, demonstrating remarkable patience and resourcefulness as they search for high-value data in a targeted organisation. We call this window of opportunity “breakout time” - the time from when an adversary first compromises an endpoint until they are free to move around the environment.

We recently measured breakout time averages showing how fast the breakout time was for the top nation-state actors and eCrime adversaries. Remarkably, Russia-based threat actors were almost eight times faster than their next quickest competitor - North Korea - who themselves are almost twice as fast as intrusion groups from China.

While certainly not the only metric designed to judge sophistication, this ranking by breakout time is an interesting way to evaluate the operational capabilities of major threat actors. It’s also important to keep in mind that these are average times - many nation-state adversaries can perform much faster than their average indicates.

The 1-10-60 solution

The 1-10-60 rule can be a useful gauge for determining organisational readiness should an event occur. The rule offers guidelines for optimal response times in the face of an attack: one minute to detect, 10 minutes to investigate and 60 minutes to eradicate/remediate.

Assessing how closely your organisation meets these ideal response times can help you come to better understand where you need improvement. When combined with knowledge of adversary speeds and who might be targeting you, based on your industry or region, these metrics can also help inform your security strategy.

We found that the overall average breakout time observed in 2018 across all intrusions and threat actors was 4 hours 37 minutes, which represents a substantial increase over last year. However, it’s important to reiterate that these are averages and don’t necessarily reflect the breakout time for the particular adversary that may be targeting your organisation.

What this means for your security approach

Overall, today’s advanced cyber security solutions can help fill the void being created by the challenges of hiring and retaining, skilled and experienced staff. The cyber world moves so fast that often hiring in expertise is a better way to keep up with all the latest threats and technologies, without the expense and challenge of finding people and vendors yourself.

Organisations need to look for next-gen cyber security solutions that focus on stopping the breach, not just viruses and malware like legacy and traditional solutions. True next-gen solutions are also easier to integrate, deploy and maintain in today’s sophisticated environments, than the standard solutions of yesterday.

This heightened degree of automation and ease-of-use enables businesses to constantly review their security postures so they know where the gates might be and the risks they are creating that an attack could exploit. What’s needed is a proactive instead of a reactive approach.

John Titmus, Director EMEA, CrowdStrike
Photo Credit: andriano.cz/Shutterstock