Organisations today do not have a malware problem – they have an adversary problem. This is the key take-away from the CrowdStrike Virtual summit on Cybercrime today.
Aaron Aubrey NG, Strategic Threat Advisor at Crowdstrike, commented that the cybersecurity industry was a place where, where it’s professionals or organisations, were all really squarely focused on understanding what was the latest virus, the latest worm, the latest malware. He states that it is however critical to rather understand the adversary and what they are trying to accomplish and why rather than simply understanding what is binary.
Aaron comments that security officers need to understand “Why the adversary is motivated to target the organisation, or to understanding the tactics, techniques, and procedures, the TTPs of the adversary in totality, of which malware is just one of the many TTPs adversaries have employed in their attacks”.
It is clear that with the rapidly increasing number of cyber-attacks globally, It’s only when organisations develop a holistic understanding of the adversary, the why, the how, and the what of the adversary, then organisations can be better prepared to be able to effectively protect their organisations against the growing number of adversaries today.
“And for that very reason, CrowdStrike continues to adopt a very strong adversary-centric approach in everything and anything that we do “says Aaron Ng.
Key Adversary Categories:
Nations Supporting Cybercrime for Income
Nation-states that support growing cybercrime groups are primarily motivated by espionage, and industrial and government intelligence spying.
And according to the CrowdStrike global threat report, typically, nation-states adversaries are a function of either the foreign intelligence agency of another country or the military intelligence branch or service of the country.
Signal intelligence initially started at the point of interception of signals over the air or via landline communication interception, As communication technology advanced and became digitised, so too did the interception techniques in the digital realm. This was a natural evolution of collecting and intercepting communications
However there are also many nation-state actors that are also motivated by other objectives. A good example would be the North Koreans or the adversaries that CrowdStrike track such as Cholibus, the DPRK or North Korean-based adversaries.
These adversaries are according to Aaron, financially motivated, and the generating revenue through cyber means is one of the main ways in which the Kim regime in Northern Korea today achieves that economic survivability.
The sustainability of the economy strongly rests upon these revenue generation operations.
E-crime Adversaries
The e-crime adversaries by definition, are motivated by financial crime. These bad actors are primarily motivated by a profit, and they range everything from adversaries that are focused on performing ransomware attacks to your access brokers. These are adversaries that buy and sell credentials to the highest bidder.
Hacktivist Adversaries
These are your adversaries that are typically responsible for disruptive type of attacks, such as denial-of-service attacks, or your web-defacement attacks. These adversaries are generally motivated predominantly by an ideology.
It could be a political ideology. It could be a socio-economical ideology. But for all intents and purposes, motivated by ideology, where they perform disruptive attacks to generate more visibility, and to champion their cause.
Scope of Number of Cyber Attacks Growing
CrowdStrike, as of this morning (24 March), says that they tracked 261 adversaries across these three main categories and just in 2024 alone, have identified and attributed attacks to 26 new adversaries.
The company says that they are tracking more than 140 malicious activity clusters, which are basically clusters of intrusions that they have meaningfully aggregated and correlated with one another.
CrowdStrike then will go through a process of gathering more information and more evidence about the cluster’s physical location and their physical identities, before marking them off as a full-fledged adversary group.
Cyberattacks are not stopping, according to the Cybercrime statistics from CrowdStrike they are in fact just accelerating.
Major Areas of Increasing Attacks:
Social Engineering
Social Engineering remains the primary source of cyberattacks with key attack factors showing how adversaries adopt to changes over time. Increasingly, this has a lot to do with developments in the generative AI space today, with the era of deepfakes, and using generative AI to perform social engineering attacks.
This is aligned with the general trend with an explosion in phishing attacks, voice phishing attacks, impersonating people as legitimate, pretending to be an IT help desk to phish for credentials or to convince the victim to perform a password reset or to phish for credentials. This process and type of attack has seen a very significant increase over the past year.
Vulnerability Attacks
Withing the vulnerability space, the trends are also consistent, according to the report. These are attacks that create opportunities for creating initial access. Crowdsource claim that more than half of all the vulnerability exploitation that we have seen in a while, are directly related to initial access.
This should get us thinking about how we can harden our external attack surface, by recognising the fact that the adversaries are now heavily growing at thinking very hard on how they can become more and more successful with achieving initial access to gain their foothold in their target environment” Says Aaron Ng.
Post-exploitation and Key Reaction Timing
CrowdStrike’s research uses this term called breakout time as a relative measure of how fast adversaries are. The notion of breakout time is the time that it takes for an adversary, after achieving initial access, to get to that first box, breaking out from their foothold.
The rationale behind this as a relative measure of how fast an adversary is to know for a fact as defenders of an organisation, that once an adversary achieves breakout, it becomes immensely difficult to stop that attack.
“And what is, in fact, really, really terrifying is that in 2024, we have on the clock recorded the fastest breakout time to be 51 seconds” says Aaron.
That means defenders have less than one minute in that environment to detect, investigate, contain, and ideally eradicate a threat. In 2023, the average breakout time of adversaries was 62 minutes. In 2024, the average breakout time is now 48 minutes.
“And unfortunately, as some of us are familiar with the notion of the Layer-8 problem, as much as I don’t typically like to state that humans are the weakest link, oftentimes in security, it is unfortunately still the case, which is why security awareness continues to be really important”. “Cyber hygiene continues to be very important and at the same time, adversaries are continuously exploiting and innovating with social engineering to effectively achieve that foothold in their target organisation” Aaron NG concludes.
