Adam Meyers runs CrowdStrike’s Global Threat Intelligence team and is responsible for creating actionable intelligence that enables customers to understand the who, what, and why of a targeted attack. We visited with Meyers to learn more about his approach to cyber security.
Who or what are adversaries?
Adversaries are the humans behind the attacks. We spent years in security focusing on malware and exploits and techniques, but not on who is perpetrating them. There are humans behind the attacks, so we watch for patterns, use intel to zero in on the human element. We ask who they are, what their motivation is and what types of things they are likely to do in the future. By learning what is happening, we can develop scenarios for what might happen in the future.
What types of adversaries are there?
We place most of our adversaries in three main categories and then will further delineate by commonalities.
There are three main types of actors in the adversary space:
- Targeted Intrusion – typically espionage tied to a nation state (national security, industrial espionage, dissident control)
- Criminal – criminalization of the Internet – who are they and what are they doing and help customers create unique ways to protect themselves; motivated to make $$ with different tactics
- Hacktivists and nationalists – these actors are focused on bringing visibility to their cause
Currently, we are tracking more 70 different adversary groups, which can be as small as one person or include thousands. For each adversary, there is a constant stream of fresh intelligence about activities. That’s why we say, ‘You don’t have a malware problem, you have an adversary problem.’
What can adversary intelligence tell us about the state of security?
As an organization, it can tell you many things. For example, in a specific sector, such as financial services or healthcare, you can tell you who is targeting and what they use in terms of exploits and malware. We are looking for an adversary’s capabilities, indicators, attribution and intentions. With insight into adversary tools, tactics and procedures (TTPs) and multi-source information channels, we are looking at the high-level techniques and tactics being used. We then can recommend a better defense against the TTPs. The level sophistication today is so targeted and focused, that the adversaries know pretty much everything about you from your online activity, and they use that information in the way they target you. As an example we’ve seen adversaries use of social media as a way to target people. Using a fake profile, the adversary can get you to link in with him or her and then use the implied trust relationship to gain access to your information through malicious posts or the exploit the relationship created with a fake profile.
Why is the adversary approach better than a malware approach?
Using an adversary approach to cybersecurity ensures that you are dealing with the problem, not just a symptom of the problem. Malware deals with the symptoms. Adversaries can change their activities and the types of things they are doing, but it is much more difficult for them to change the basic parts and pieces of their operations and how they are doing things. For example, if you get a spearphish with a malicious Adobe file ,it causes the application to crash, this is a bug, the exploit will control the crash using what is commonly called ‘shell code’, which tells the computer what to do while it is crashing such as write a file to disk and execute it. Changing the shell code out is very expensive for the adversary in terms of complexity and limitations of techniques available to bypass security controls. If you watch this code, you will see that an adversary will use it over and over and over you can then build a detection signature and a defense against it which makes things more expensive for the adversary – this means they will think twice before coming back.
Threats are getting more and more sophisticated – can you give me some recent examples?
There are dozens of recent examples. On the nation/state side, we see adversaries working out of Russia where one adversary is focused on oil and gas manufacturing this actor uses asymmetric cryptography and strong operational security to complicate analysis. There is a lot of activity out of Iran that is going after aerospace information, financial institutions, dissidents, and energy sector victims. We see tremendous activity out of China. It is less sophisticated, but there is lots of IP to watch for. We also see targeted intrusion activity proliferating to Indian and Pakistani actors.
Visit The Adversary Manifesto to learn more about adversary intelligence, adversary tools, and other topics from Meyers and others from the Crowdstrike team. If you have a question for the Crowdstrike team, leave a comment here.