CrowdStrike™ CTO and Co-founder Dmitri Alperovitch recently sat down with ISMG to discuss some key insights from the CrowdStrike “2019 Global Threat Report: Adversary Tradecraft and the Importance of Speed.” The interview, captured in this video, focused on how organizations can be better prepared to face today’s challenging nation-state and eCrime adversaries.
Nation State Actors and eCrime Rings
The Interview begins with a discussion of how this year’s global threat report is the first time CrowdStrike has ranked adversaries by their capabilities. Alperovitch says that the goal was to measure how operationally proficient these actors are, rather than just looking at the tools they favor, because, “The tools can be easily reused – you can buy them on the black market – so you don’t want to focus on someone’s expertise just because they can spend a lot of money on the dark web and underground forums.” He explains that speed is of the utmost importance in assessing an adversary’s threat level to a target organization: “We wanted to know how fast they are when they are inside the network and we did this by measuring breakout time.”
Breakout time refers to the time it takes for an intruder to begin moving from the initial “beachhead” — an endpoint that’s been compromised — to other systems in the network. Alperovitch says it’s important to know the speed of your adversaries so you can be better prepared to defend against them. He goes on to explain how adversaries in this year’s report were ranked: First place went to Russia, second place to North Korea, and third place to China.
Regarding the surprising disparity between the average breakout times of different nation-state adversaries, Alperovitch comments, “There has been some talk in the industry about whether North Korea could really be as fast as China, which is a lot bigger. But on average, we are seeing the North Koreans (break out) almost twice as fast as the Chinese,” he says.
Closing the Breakout Time Window
Alperovitch explains that closing the breakout time window means ensuring you are faster than your adversary. He says, “Speed is everything in cybersecurity. What I’ve been focusing on for the last several years is speed as a metric, how it can drive cybersecurity policies. One of the things I’ve been advocating is the 1-10-60 Rule — three simple metrics that organizations can measure and report to the highest levels in their organizations, such as the board of directors, the CEO, or whoever is most appropriate.”
The 1-10-60 Rule
The 1-10-60 Rule dictates that organizations should strive to: Detect an intrusion on average within 1 minute; investigate it within 10 minutes; and isolate or remediate the problem within 1 hour. Alperovitch explains that organizations that can meet the 1-10-60 criteria have the best chance of foiling today’s most sophisticated adversaries and stopping a potential breach. However, he cautions, “As we’ve seen from this year’s threat report, if you’re facing Russian actors, you have to be even faster than that.” On average, Russian threat actors, which CrowdStrike Intelligence tracks a “BEARS,” demonstrated breakout times of around 18 minutes.
Big Game Hunting
Another eCrime trend Alperovitch addresses is “Big Game Hunting.” He explains that it’s “a term we’ve started using to describe how eCrime actors have been evolving.” This evolution involves eCrime actors using the tradecraft developed by nation-state adversaries to target large enterprises, looking for a bigger payout. “This strategy of trying to break into one organization, instead of going broad and trying to ensnare a lot of (typically smaller) victims, is where we got the term ‘Big Game Hunting,’” he says. He goes on to discuss how ransomware groups like GRIM SPIDER and others have been very effective at picking a few lucrative targets, getting inside and performing deep reconnaissance, encrypting everything, and then asking for a large ransom. “At that point, you really have some serious damage. You’re not just encrypting one machine, you’re encrypting everything within that network,” he says.
Alperovitch also discusses how geopolitics are really driving the priorities of nation-states. He explains,“Nation-states don’t launch attacks on a whim. Typically, there is a motivation behind it of strategic or national political security. Often when we see tensions explode in the Middle East or other regions of the world, cyberattacks follow. “ He says that many of the geopolitical hotspots occurring throughout the world correspond with an increase in related cyber incidents.
Any Organization Can Be a Target
One myth Alperovitch tries to put to rest is the sense some organizations have that they can’t be a target for cyber adversaries. “One of the things we looked at with this report is, who is getting the targeted the most? For many years I’ve heard people say, ‘Well, I’m not a bank, I’m not a defense contractor, nobody is going to come after me.’” However, he warns that if your organization has anything of value, someone will want it and target you.
Telecommunications and Hospitality Are Popular Targets
Another trend revealed in the report is an increase in attacks against the telecom and hospitality industries. Alperovitch contends that these industries seem to be popular targets. “In the case of telecom, there is concern because so much flows through those networks and there is so much an attacker can do if they control those networks,” he says.
Hospitality is also an attractive target. Alperovitch explains, “One thing that many may not realize is that the hospitality industry holds a wealth of data that is of interest to everyone: Nation-states want their registration information in order to facilitate human espionage; criminal groups want their credit card data and PI (personal information) that they can monetize — everyone is coming after these hotels.”
How Does CrowdStrike Help You Respond?
The interview closes with a discussion of what CrowdStrike recommends for organizations looking to improve their security postures. Alperovitch returns to the concept of speed and its significance in mounting an effective defense. “The main thing that really stands out in this threat report is this concept of speed and how important it is for everyone to be fast.” He goes on to explain that organizations often get mired in how they patch vulnerabilities or identify malware, while losing focus on the bigger objective of trying to stop a breach.
He advises that every organization take a step back and think strategically about how they can speed up critical activities, focusing on detection, investigation and remediation. Technology, people and process all play an important role in devising a sound security strategy. Once you have a winning strategy in place, it is critical to measure and evaluate results to see if it’s working. ”The reason the metrics are so important is that you can drive accountability with them. The 1-10-60 Rule may be ambitious for many organizations, but at least if you start measuring what your actual numbers are, you can start driving progress quarter over quarter, and hopefully start getting those numbers down.”
- Watch the ISMG interview: “More Insights from the 2019 Global Threat Report.”
- Download the 2020 Global Threat Report
- Watch and on-demand webcast on the 2019 Global Threat Report.
- Learn more about the CrowdStrike Falcon platform.
- Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.