A new on-demand webcast features CrowdStrike Vice President of Intelligence Adam Meyers, and Vice President of OverWatch and Security Response Jen Ayers, as they take a deep dive into some of the findings in the 2019 Global Threat Report, “Adversary Tradecraft and the Importance of Speed.” This webcast offers their expert analysis of some of the important observations, trends and statistics resulting from their teams’ efforts throughout 2018. The presenters also offer recommendations that can help organizations increase their defense capabilities and implement the right strategies for 2019 and beyond.
The webcast opens with Ayers discussing how Falcon OverWatch™, CrowdStrike’s dedicated threat hunting team, leverages the power of the CrowdStrike Threat Graph to uncover compelling statistical insights from 2018. She also covers the MITRE ATT&CK™ framework — a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations — and explains why CrowdStrike has adopted it and how it contributes to a better understanding of the threat landscape.
In this section, Ayers offers some of the key takeaways from the ATT&CK framework, such as a migration away from standard file-based attacks to more stealthy fileless scripting techniques, and a rise in “living-off-the-land” activity, which describes using legitimate tools and processes already installed in target computers.
Table of Contents
Adversary Breakout Times
The webcast then delves into the ranking of adversary groups according to their breakout speeds. Breakout time, a key metric CrowdStrike introduced over a year ago, measures the time from when an adversary gets inside a network and establishes a beachhead, to when they are able to begin moving laterally to other targets. CrowdStrike is the first to delineate breakout times by region/type and, as the Global Threat Report reveals, adversary times can vary widely. The webcast includes a discussion of some of these variances, including why Russian threat actors (designated “BEARS” by CrowdStrike Intelligence analysts) are able to achieve an average breakout time of a mere 18 minutes, while eCrime actors (SPIDERS) clock in at over nine hours, on average. A recent blog explains adversary breakout times in more detail.
Global Threat Landscape
Meyers then discusses the global security landscape from a cyber threat intelligence (CTI) standpoint, stating that 2018 was characterized by adversaries developing and improving their tradecraft and retooling their operations. He also outlines CrowdStrike’s approach to “the adversary problem” and explains why understanding the underlying motivations of threat actors is critical. He breaks down adversary motivations into three categories, as follows:
Nation-state targeted intrusions: The past year has seen some proliferation into other regions beyond the key four — China, Russia, Iran and North Korea — with many capable threat actors emerging in other regions.
eCrime attacks: These are financially-motivated attacks aimed at monetary gain, although some nation-states, such as North Korea, have also sought revenue via cyberattacks. This is primarily attributed to international sanctions that have made it difficult for them to tap into legitimate global financial resources.
Hactivist attacks: These are perpetrated by activist groups who typically are motivated by an ideology, such as anti-capitalism or other geopolitical beliefs. As Meyers explains, sometimes nation-state or eCrime actors try to pose as hacktivists to shift the blame and disguise their true intentions. In the webcast, he gives an example of a case that his team was able to uncover.
Balkanization of the Internet
Meyers also addresses the “Balkanization of the internet,” a term that likens fragmentation of the web to the historical splintering of the Balkan peninsula in Europe into a collection of smaller, mutually hostile nations. Meyers explains that this has led many nations around the world to assert internet sovereignty to ensure control and security. Some of the actions he says countries have taken include: demanding that their citizens register their mobile devices with an official agency; applying legal frameworks that limit privacy and ensure monitoring capabilities; blocking foreign websites and services that they consider problematic; and perpetrating other schemes aimed at restricting privacy and increasing control.
Trends, Actors and a Look Forward
A large portion of the webcast is devoted to highlighting the activities of the nation-state and eCrime activities observed during 2018. As in the report itself, each discussion offers notable trends, prominent threat actors, and outlook for key nation-states, including Russia, North Korea, China and Iran. There is also extensive coverage of eCrime, including: the increase in “Big Game Hunting,” where ransomware actors seek to victimize larger organizations to extort more lucrative payouts; a deep dive into the infamous Ryuk ransomware; why business email compromise (BEC) is gaining ground globally; and the outlook for mobile malware.
The webcast concludes with some practical recommendations that will help you create a more targeted and effective security strategy for your organization in 2019.
Leave a Reply