At CrowdStrike, our approach to fighting cyber crime is fundamentally different from the one cybersecurity industry has taken over the past 30 years. Traditionally, cyber intelligence has focused on “digital crowbars”— in other words, malware or tools, rather than who is using the tools. The focus on malware detection is analogous to a police force that just focuses on what tools an intruder used to break into a house. Did they use a crowbar? Sledge hammer? Lock pick? In the end, does it really matter what tool was used to break into a house or business? The result is intrusion, theft and danger; those are the important things, not how the intruder gained access in the first place. What is important when trying to stop intruders is actually catching them, not just identifying what tool they used to break in. in order to do that, we need to focus on who—attribution,not what–malware.
As the saying from The Art of War goes, “know your enemy.” This truism is equally important in the context of cyber warfare. At CrowdStrike, our focus is on gaining as much intelligence about the enemy as possible to best arm our clients against future attacks. We believe that focusing on malware doesn’t provide the best defense; rather, that focusing on the adversary needs to be front and center in threat protection.
Another way CrowdStrike differs in our approach is by focusing on attribution—not just who the threat actor is, but what organization is he or she working for. Historically, the cyber security industry has said that attribution back to a specific threat actor or nation-state was impossible and/or was just not important. We don’t agree; in fact, we know it is absolutely possible to attribute attacks back to specific threat groups and even individual threat actors because we’ve done it, as you can see from our recently released Putter Panda Intelligence Report and other threat reports. Without attribution, companies can’t fully understand who is behind potential attacks, which leaves them fumbling when it comes to setting market strategy, dealing with legal implications of security breaches and other potential or real effects of a cyber attack. By focusing on an individual rather than on the organization behind a threat actor, you can learn about the actual person behind an intrusion and can tailor your response accordingly, making future protective actions that much more effective.
The bottom line is that cyber attacks are not perpetrated by machines; behind every cyber attack, there are actual humans. And, just as humans leave traces of themselves behind in most crime scenes in the physical world, the same is true in cyber. It is human nature to become overconfident and leave traces of yourself behind, especially when involved in repeat criminal activities. Think of the one-time bank robber—he or she is probably meticulously careful that first time, taking extreme care not to leave any trace evidence behind, and, sure, maybe he or she is successful that first time. But during the next crime, and subsequent break-ins, he or she starts getting cocky and stops being so careful and that’s when evidence is left. Internet privacy, while a thorny subject for the general public, is actually our ally in the case of threat attribution. Data makes threat attribution possible as threat actors, thinking they are shrouded in anonymity, leave digital bread crumbs in their wake without even realizing it.
This is how we identified threat actor “cpyy” of the Chinese People’s Liberation Army (PLA) in our Putter Panda investigations, combing through email addresses, online profiles and personal photos to compile a vivid portrayal of an individual, complete with name, address, and even details about his place of work and past military ties. Then, following these personal digital bread crumbs, we were able to tie this individual back to PLA 12th Bureau of the 3rd Department of the PLA’s General Staff Department.
Because we know that forearmed is forewarned, CrowdStrike understands that knowing as much as possible about the adversary is the most important step in threat detection and prevention. Digital crow bars and the like…not so much.