Lessons learnt from 2022 Cloud and Cyber Security Expo

Global unrest over the past few years has changed the way in which people go about their lives, and this is no different for cybercriminals.

We have been able to experience how truly connected the world really is and have seen how readily cybercriminals will exploit situations at any opportunity. This blog will explore the types of threat actors that have dominated, changes in important key metrics and steps that organisations should continue to follow to bolster their defences.

Cyber security threat actors that have dominated in the past two years

Over the past two years, there has been a significant growth in cyber criminality. Nation-state groups are carrying out state-sponsored attacks targeting IT and cloud services to gain access to data and intelligence. Hacktivists are ‘picking sides’ in conflicts – on one side, groups are targeting Russian news outlets, and on the other, some have targeted financial institutions that have imposed sanctions on Russia. The pandemic has expanded the cyber-attack surface, providing more opportunities for cybercriminals to exploit vulnerabilities. Global events that expose how interconnected the world is now have blurred the distinction between nation states and criminal groups as motivations overlap, making the implementation of accurate and appropriate security controls more difficult than ever.

The importance of e-crime breakout time

E-crime breakout time is the time it takes for a threat actor to access an organisation’s network and is therefore also the time that the organisation must detect and respond to the incident before lasting damage is caused. This metric has been steadily decreasing over time as criminals get more sophisticated with their attacks, so understanding how this time varies for your organisation is critical to a defensive strategy. An assessment of breakout time will allow a better operational understanding of bottlenecks and indicate the length of time that internal SLA’s need to be to respond in a timely manner.

The e-crime index (ECX) is a metric introduced by Crowdstrike and tracks the e-crime ecosystem by identifying and mapping changes in the cyber threat landscape. It has confirmed suspicions on the types of events that spike criminal activity, where events that cause a lot of internet traffic, like Black Friday, and vulnerability exposure, like Microsoft patch releases, take precedence. The ECX helps identify notable changes that can then be further investigated.

The main targets of e-crime

Attacks are heavily being directed at the supply chain across various industries, as criminals monopolise on the ability to penetrate multiple actors from a single entry-point. The industrial engineering and manufacturing sectors are particularly vulnerable to this as they rely heavily on the supply chain to keep operations going. Many managed service providers are also targets as they work with numerous organisations, so the impact of an attack can be far-reaching.

Cyber-crime has frequently been associated with large organisations, making small and medium enterprises assume the risk of attack is lower for them, however many SMEs are an essential part of the supply chain and equally viable for attack. This risk is also heightened considering that SMEs will also have less to invest in their security defence strategy, presenting an easier ‘way in’ for attackers. During the pandemic, SMEs had to make significant changes to their business operations and working practices, as did other organisations, but are less likely to have also updated their security measures along with it which leaves them a lot more vulnerable.

Steps Organisations should follow

• Patching – as touched upon previously, it is crucial to implement patches as soon as they are released to counter any reverse-engineering attempts by threat actors.
• Ensure that your organisation stays up to date with the latest patch releases from vendors.
• Make sure to test and validate them in a test environment before deploying into any production systems to ensure the patch doesn’t break anything vital.
• Patch Management software can decrease the time between patch release and deployment through automation.
• 1-10-60 rule needs to be a standard for responding to cyber threats quickly and efficiently.
• Detect intrusions in under 1 minute. Your organisation needs to identify visibility gaps and implement AI solutions that use real-time data and behavioural analysis to ensure that detection is quick.
• Investigate in 10 minutes. This requires a comprehensive and extensive knowledge of your infrastructure, including what security measures are currently in place and where you hold sensitive data.
• Contain and eliminate the adversary in 60 minutes. Utilise automation tools and coordinate actions and visibility to ensure you have an effective remediation plan in place.
• Take advantage of new technologies.
• AI can be leveraged to predict, prevent, detect and respond to cyber-security threats through real-time data analysis from a wide variety of sources. The behaviour analysis utilised by AI allows organisations to enhance their threat detection and prevention process and reduce the likelihood of zero-day attacks occurring.
• Implement Cyber Security drills to test that your organisation can respond to security breaches quickly and effectively before attackers do.
• This will allow your organisation to evaluate security measures and policies, as well as employee knowledge.
• Know your adversary: The root of being able to track threat actors is understanding who they are, their motivations and how they are most likely to execute their attacks. Understanding the tactics, techniques are procedures (TTPs) allows your organisation to analyse and monitor activity to detect abnormal behaviour associated with a known TTP, increasing the effectiveness of security responses, and driving down costs. However, it is also essential to stay aware of the reality that TTPs are constantly evolving and becoming harder to distinguish as attackers develop off-the-shelf malware to remain undetectable and unidentifiable, so it is imperative that indicators of compromise are leveraged. Any digital evidence left after a malware or data breach that is detected with allow a faster response time and help secure your organisation against future attacks. Using threat intelligence tools can also help to automate the analysis of TTPs and validate information from a range of sources on current and potential threats.

Conclusion

It is critical that organisations remain aware of how cyber-criminal activity is changing in an environment that is becoming increasingly dynamic by tracking trends and investing more in understanding the people behind the attacks. When there is such a vast amount of information to process, the strategic emphasis should lie in a risk-based approach, where available resources can be directed through prioritisation. This will drive the most efficient allocation of time and skill and help to raise the overall cyber maturity of the organisation through a full understanding of the unique threats and vulnerabilities.