ITProPortal: CrowdStrike Discusses Life Beyond Malware

Lighted Malware Letters

This article, “Life Beyond Malware,” originally appeared on ITProPortal and is published here with their permission.

The traditional cybersecurity model is an outdated one, focused on building up the perimeter defenses of an organization like some sort of medieval fortress, in an effort to mitigate the threat of incoming malware. However, it is an uncomfortable fact for many that the multi-million-dollar cybersecurity industry was founded on and continues to embrace an outdated and limiting model.

The problem is that while the majority of cybersecurity solutions focus on stopping malware, the security landscape has continued to evolve, rendering that perspective increasingly dated. In fact, our research found that 40 percent of all detections in 2018 were fileless — indicating malicious software that typically goes undetected by traditional antivirus. This data goes against traditional cybersecurity “wisdom” and makes many of the current cybersecurity industry solutions a lot less effective, if not obsolete.

We’re still seeing multiple types of attack, but malware-based represents only a small proportion of them. This trend does not mean that the threat of malware has entirely gone away. It remains a powerful tool in the cybercriminals’ armory, but it is now just one of many. If you are concentrating all your efforts on stopping malware, you are in danger of missing a wide range of other TTPs (tools, tactics and procedures) that are likely targeting an organization.

In today’s landscape, it’s imperative that organizations focus on stopping the incidents that lead to breaches, as well as stopping malware.

eCrime Trends: Big Game Hunting

One notable trend that we’ve monitored over the past couple of years has been a dramatic rise in eCrime ransomware attacks aimed at large enterprises. These attackers are taking advantage of RaaS (ransomware-as-a-service) operations run by prominent eCrime groups such as PINCHY SPIDER.

Modern cybercriminals are able to purchase advanced ransomware tools from established adversary groups instead of developing them. They then use sophisticated social engineering and phishing schemes to gain entry into the largest enterprise targets, where they deploy ransomware — demanding huge payoffs. These low-effort/high-return operations are known as “big game hunting.

Once inside the network, eCrime operators elevate privileges and steal credentials in order to move laterally. Indeed, the fastest and most damaging attacks continue to be those where attackers masquerade as legitimate users via credential theft.

This often occurs when user credentials are uncontrolled, misconfigured, or bypassed. Once access is gained, the organization is left completely exposed and the actor gains a foothold, allowing them to move around the environment to achieve their objectives.

Breakout Time: A Critical Metric

Typically threat actors get in fast and “breakout” quickly. Nation-state attackers are particularly persistent, demonstrating remarkable patience and resourcefulness as they search for high-value data in a targeted organization. We call this window of opportunity “breakout time” — the time from when an adversary first compromises an endpoint until they are free to move around the environment.

We recently measured breakout time averages showing how fast the breakout time was for the top nation-state actors and eCrime adversaries. Remarkably, Russia-based threat actors were almost eight times faster than their next quickest competitor — North Korea — who themselves are almost twice as fast as intrusion groups from China.

While certainly not the only metric designed to judge sophistication, this ranking by breakout time is an interesting way to evaluate the operational capabilities of major threat actors. It’s also important to keep in mind that these are average times — many nation-state adversaries can perform much faster than their average indicates.

The 1-10-60 Solution

The 1-10-60 Rule can be a useful gauge for determining organizational readiness should an event occur. The rule offers guidelines for optimal response times in the face of an attack: one minute to detect, 10 minutes to investigate and 60 minutes to eradicate/remediate.

Assessing how closely your organization meets these ideal response times can help you come to better understand where you need improvement. When combined with knowledge of adversary speeds and who might be targeting you, based on your industry or region, these metrics can also help inform your security strategy.

We found that the overall average breakout time observed in 2018 across all intrusions and threat actors was 4 hours 37 minutes, which represents a substantial increase over last year. However, it’s important to reiterate that these are averages and don’t necessarily reflect the breakout time for the particular adversary that may be targeting your organization.

What This Means for Your Security Approach

Overall, today’s advanced cybersecurity solutions can help fill the void being created by the challenges of hiring and retaining skilled and experienced staff. The cyber world moves so fast that often hiring-in expertise is a better way to keep up with all the latest threats and technologies, without the expense and challenge of finding people and vendors yourself.

Organizations need to look for next-gen cybersecurity solutions that focus on stopping the breach, not just viruses and malware like legacy and traditional solutions. True next-gen solutions are also easier to integrate, deploy and maintain in today’s sophisticated environments than the standard solutions of yesterday.

This heightened degree of automation and ease-of-use enables businesses to constantly review their security postures, so they know where the gates might be and the risks they are creating that an attack could exploit. What’s needed is a proactive instead of a reactive approach.

Additional Resources

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial