Staying one step ahead of the cyber-security hydra

At this moment in time, we are in an “arms race” for cyber superiority. However, there are some important differences between an arms race in the cybersphere versus the physical world: In cyberspace, any player can potentially become a superpower. The capital costs are alarmingly low, compared to funding a physical war machine. Even some of the world’s most impoverished regions proved their ability to make a global impact through cyber campaigns in 2018 — and this is one genie that is not going back in the bottle.

With regard to nation-state actors, speed has become an even more critical aspect when it comes to countering cyberattacks. The Global Threat Report data demonstrated that adversaries are moving even faster when it comes to “breakout time”, Russian adversaries for instance only take an average of 18 minutes to accomplish lateral movement within the victim environment - from where they first entered to moving through the environment.

Furthermore, there has been a notable increase in “scripting” techniques in attacks, as well as the increased use of techniques intended to hide or obscure attacker behaviours. As endpoint protection solutions are becoming increasingly adept at finding and stopping malicious behaviours, attackers are forced to incorporate stealthier measures into their tradecraft.

One of the most vulnerable sectors at the moment is telecommunications. As in 2018, it was noted that organisations in the telecoms sector had been directly targeted, along with regular instances of compromised telecoms equipment and the use of “lures” referencing telecoms services. This trend likely supports state-sponsored espionage actors as they seek to gain access to a broad customer base that relies on telecom services in their target countries.

The targeting of the telecom sector is historically within the scope of several Chinese adversaries; however, the number of operations affecting this sector, or using lures referencing telecom services, suggests an increase in China-based cyber espionage operations on a larger scale, and supports previous assessments that these adversaries regularly engage in upstream targeting. Furthermore, both Iranian and Russian adversaries have been identified as targeting those in the telecom sector. 

The basics of user awareness, asset and vulnerability management, and secure configurations continue to serve as the foundation for a strong cybersecurity programme. CrowdStrike recommends that organisations regularly review and improve their standard security controls, including the following: user awareness, asset management, vulnerability and multifactor authentication. 

With breakout time measured in hours, something that is worth remembering when countering threats is the “1-10-60 rule”. This rule is divided as such; detect intrusions in under one minute, perform a full investigation in under 10 minutes and eradicate the adversary from the environment in under 60 minutes. 

Those organisations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads out from its initial entry point, minimising impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action