The Global Threat Landscape is Novel and Requires a Novel Response
From Russia to China to South Korea, the global threat landscape continues to mature, often confounding the assumptions of those who must defend against the attacks. Novel techniques are the norm, such as criminals posing as job seekers to infiltrate networks or attacking non-obvious networks.
This results in attacks that are harder to predict, adversaries that are harder to detect, and breaches that are harder to address. Harder, but not impossible. While we are certainly living in a more dangerous cyber age, we also find ourselves at a point of inflection. XDR is a significant evolution, and we believe that adversary detection and response (ADR) is not far behind, particularly with more collaboration between the public and private sectors.
Perhaps most importantly, we are getting closer and closer to realizing the full promise of Big Data in a cybersecurity context. At Anomali, much of our energy is put towards closing that gap. We believe it is the key to unlocking adversary defense as a truly viable and scalable approach to securing companies and people.
At the RSA Conference 2022, cyber threat experts gave attendees a virtual trip around the world during a panel presentation examining threat actor activity from both nation-states and criminal groups. The panelists revealed the latest global threat activity, as well as the best strategies to thwart increasingly sophisticated attacks.
They detailed adversary behavior that should both concern and energize us, and we share it here in the hopes of generating energy amongst our community, our partners, our customers, and all those who see an understanding of adversary behavior as a critical mission.
Attacks Go Beyond Traditional Platforms
China, while not as flashy and flamboyant as Russia, is reshaping the cyber threat landscape as well. Its attacks are moving beyond traditional platforms such as Microsoft and Linux malware to esoteric systems, like Huawei routers and Solaris implants.
As panelists noted, the attack surface is shifting, widening, and morphing in many different ways. For example, China exploited a vulnerability in software that tracks diseases in cattle to gain a foothold into 18 state and local governments in the U.S. that use the software.
Often, threat actors can exploit vulnerabilities within hours. The implication, according to the panel? Defenders must look beyond traditional assets and accelerate the patching of critical systems. It’s no longer a matter of simply matching every so often. Instead, it’s imperative to have hard conversations with the business about downtime and schedule patching regularly.
Ransomware as Harassment
Iran has become an innovator in government-backed ransomware. Iranian attackers are becoming more patient, sometimes having 10 interactions with a victim before doing anything malicious. The panelists referred to them as “big-game hunters at scale,” and I couldn’t agree more. We’re not talking about just targeting one system within the network to lock it up. This is a network-wide ransomware endeavor to get as much ransom as possible. Add to this the practice of leaking data to harass organizations.
Cyber Criminals are Posing as Job Seekers
North Korea, whose cyber activities have been mostly on hold during the pandemic, is returning in a vengeful – and creative way. Among the newest developments: A focus on cryptocurrency schemes. Panelists recounted examples of stolen crypto wallets. If one doesn’t store cryptocurrency offline, they will likely lose all their funds.
In addition, North Korean attackers are using stolen credentials to pass themselves off as U.S. citizens and get hired by companies to infiltrate their networks. While the criminals often have trouble passing the interview process undetected, these aggressive attempts show the need to bolster Insider Threat programs and educate recruiters and HR professionals about this tactic.
Hackers-For-Hire Are Increasing
The panel also highlighted how hackers-for-hire are sprouting worldwide, from BellTroX in India to Darkmatter in the U.S. and United Kingdom to Citron in Macedonia. Nation-states’ use of contractors aims to make it tougher to attribute attacks to any single entity
Given that hackers-for-hire often target smartphones, defenses include: use a Google Voice number instead of giving out your cell phone number; reboot your phone frequently; and, if you are a high-value target, contact Citizen Lab at the University of Toronto, which can do a forensic analysis to determine if you’ve been a victim in the past.
Press Releases Should Be Prepared Before an Attack
Ukrainians have been incredibly resilient in the face of cyberattacks. When air bombardments knocked out electricity, they would continue their efforts as soon as it was restored. If the Russians knocked out a network, the Ukrainians would rebuild it within hours.
In contrast, western organizations can take weeks to recover because they don’t prepare with the same diligence as the Ukrainians. Organizations should have Incident Response (IR) and negotiator teams on retainer in anticipation of an attack. IR plans should also include detailed PR and communications strategies. Taking days to parse out what to say publicly is time most companies can’t afford. Those who have done well after an attack are those who have been transparent, open, and quick in communicating. This can entail having items like press releases already vetted by lawyers ready for issuing should an attack occur.
The Mission Before Us
These are but some of how adversaries are upping the stakes in the battle for security. It was clear to us as we listened that our mission has never been more critical. Simultaneously, it was clear that the mission is not ours alone. Modern adversaries are intelligent and resourceful in ways we might not expect, and so must we be. We must work together, find ways to share information, and coordinate responses in ways that we do not today. We must find new uses for the data we collect, new filters through which we see the world, and new mandates by which we interpret our mission.
Cyber threats are as bad as you might imagine, but we’re also more resourceful than we might give ourselves credit for. We can get there. We will take the fight to the adversary. If this panel revealed anything, it’s revealed what’s at stake. Everything.