The concept of Big Game Hunting has gained much traction in the cybercrime world in recent years. Ransomware attackers frequently target organizations with substantial cash reserves as the possibility of extracting big-dollar ransoms is high. The cybercriminal enterprise is not composed of sophisticated hacker groups alone, but also RaaS affiliates who use ransomware variants on lease to target organizations and access brokers who sell access to enterprise networks on underground forums. To guard against these threats, round-the-clock threat hunting capability is essential.Â
In a recent blogOpens a new window , threat intelligence leader CrowdStrike said the overall impact of the ransomware attack on Colonial Pipeline forced major hacker groups, such as Carbon Spider (the owner of the DarkSide ransomware), Pinchy Spider (the owner of the REvil RaaS), and Riddle Spider (operator of the Avaddon RaaS) to prohibit ransomware-related posts on their forums and stop their affiliate (RaaS) programs.Â
CrowdStrike, however, cautioned that these groups continue to pose a major threat to the digital world. They are “successful, sophisticated, and resourcefulâ€, will continue to operate in a more closed and private fashion, and will return to eCrime activity, not necessarily involving ransomware, under a new name or brand.Â
Prominent hacker groups, state-sponsored ones, and their affiliates are now conducting targeted intrusion campaigns using novel techniques. From CryptoLocker to WannaCry to SamSam to Ryuk to REvil and now DarkSide, many advanced ransomware variants, or their combinations, have been used with devastating effect, inflicting losses of over $20 billionOpens a new window to U.S. businesses in 2020. A lack of specialized threat-hunting capabilities among organizations and overreliance on “part-time threat hunting†have been major factors contributing to successes enjoyed by cybercriminals.
“The cyber threat landscape continues to throw up new challenges for defenders. In the face of fast-moving adversaries and an ever-changing threat environment, organizations must not let their cyber defenses get lost in rhetoric and allow “threat hunting†to become another industry buzzword,†saysOpens a new window CrowdStrike. Organizations across all sectors and of all sizes should, the company says, enable 24/7/365 threat hunting, practice basic cybersecurity hygiene, not become habitual to “good enough†security, and not let blind spots become the reason for their downfall.Â
Speaking to Toolbox, Thomas EtheridgeOpens a new window , the Senior Vice President of Services at CrowdStrike, discussed the importance and relevance of threat hunting, why it finds a place in the government’s recent Cybersecurity Directive, and the key ingredients of a robust incident response plan.
Learn More: What Does Colonial Pipeline’s Ransom Payment Mean for the IT Industry?
Watch our face-to-face interview with Thomas Etheridge:
Are Ransomware Payments Becoming a Worrying Trend?
Etheridge said that a lack of robust cybersecurity capabilities has made organizations vulnerable to ransomware. Until recently, most organizations treated their cybersecurity budgets as unnecessary expenses. They now realize this is a critical investment for them to continue to operate effectively in the cyber threat landscape.Â
“CrowdStrike has been reporting on the rapid rise in the activities of e-Crime threat actors for a number of years. In 2019, we introduced the concept of Big Game Hunting, where we noticed an alarming trend of e-crime hunting groups targeting organizations either with deep pockets or operating in critical sectors such as financial, healthcare, education, and pharmaceutical sectors,†he said.Â
“Threat actors have been savvy to some of the challenges associated with paying a ransom and they have been using different tactics to force organizations to make a payment. Business disruption and the inability to bring operations back online is unaffordable for some of the large organizations impacted by these types of attacks, such as healthcare and educational institutions. These factors are used by threat actors to force a ransom payment.â€
He added that by destroying the ability of organizations to operate effectively, threat actors have realized that they can arm-twist organizations, especially those in critical sectors such as healthcare, education, and public services, into paying a ransom. As a result, we are seeing more and more enterprises paying a ransom to restore operations.
There is, however, a lot of passion within the industry to stem the tide of Big Game Hunting that targets organizations that are unable to defend themselves from sophisticated attacks. This passion, coupled with law enforcement action, has the potential to disrupt the ransomware industry in the coming days.
Learn More: What is Unified Threat Management (UTM)? Definition, Best Practices and Top UTM Tools for 2020
Do Organizations Incorporate the Possibility of Paying a Ransom In their Incident Response Plans?
Etheridge said that many of the organizations CrowdStrike is working with seriously look at their ransomware readiness capabilities. They are conducting assessments to understand their preparations and being able to defend against these attacks, based on all of the telemetry and threat data that exists in the market about how threat actors are gaining access. They are doing a lot to assess their ability to defend against these attacks, and they are talking to their insurance providers specifically about cyber insurance coverage should they get impacted by such an event.
This has put a lot of strain frankly on the insurance industry, he said. “I am sure the insurance industry is evaluating some of the contingencies around how they support cyber insurance programs. It’s a huge problem for the cyber insurance vertical.â€
Responding to how the insurance industry is coping with the question of ransomware coverage, he said the insurance industry is evaluating how they assess risks. They look at overall cybersecurity hygiene, compliance environment, security program maturity, backup strategies, testing and training strategies, staffing models, how companies operate, and other factors. The industry is also evaluating its business model based on the number of ransomware events that have occurred over the last couple of years.
“The question of making a ransom payment is ultimately a business decision. In many situations, cybersecurity vendors encourage organizations to seek the advice of their lawyers, inside counsel, or outside counsel on whether or not they should make a ransom payment. CrowdStrike strongly recommends that they not pay the ransom, but it ultimately becomes a business decision, and we strongly recommend that they work collaboratively with attorneys to make those kinds of determinations,†Etheridge said.Â
Modern-day threat actors are making it extremely difficult for organizations not to pay a ransom. They are targeting the IT infrastructure for encryption or disrupting business operations and are also focusing on exfiltrating sensitive data, PII, and business insights. If an organization refuses to pay a ransom, they will use that data to extort a ransom payment by threatening to publish or sell the information.
Learn More: What Is Advanced Persistent Threat? Definition, Lifecycle, Identification, and Management Best Practices
Is Threat Hunting the Big Focus of the Government’s Cybersecurity Directive?
There are several key components in President Biden’s Cybersecurity Directive, Etheridge said. The first is the proposition that organizations need to look at next-generation antivirus technologies and leverage the cloud to deploy and scale and leverage the advancements that vendors have made in AI and machine learning to improve overall prevention capabilities.Â
The capabilities of these technologies and the facility that a scalable platform deployed in the cloud can offer to organizations that have endpoints dispersed to a wide population of users across many geographical locations ensure that organizations can better protect their systems and assets against cyber threats.
Another element that is critically important is Threat Hunting. Using threat hunting as an additional layer of security will help organizations to be able to detect threats that some endpoint security technologies cannot, Etheridge said. It also allows organizations to be much more thorough in their assessment of whether or not there is an incident that requires investigation or remediation.
In many cases, threat actors can gain access to infrastructure through stolen credentials, through unsecured RDP connections, through phishing campaigns that allow them to access a particular endpoint and through tactics and techniques that allow them to disguise their behavior to look like typical users or administrators. This allows them to infiltrate networks and move laterally to achieve their objectives.Â
Learn More: Threat Hunting: What Is It and Why It’s Necessary?
How Are Organizations Dealing With the Issue of Identity Misconfigurations?
It is essential for organizations to use zero trust as a mechanism to prevent malicious or unauthorized entities from gaining access to enterprise resources, Etheridge said. Zero trust ensures visibility into accounts, rights granted to each user account and is also one of the key directives in the government’s recent policy update.
CrowdStrike acquired Preempt last year, whose focus is on integrating identity and zero trust technologies with the CrowdStrike platform. It provides visibility into identity inside an organization’s Active Directory infrastructure, understanding privileged accounts, managing those accounts, passwords, configurations, resets, practicing IT hygiene through a combination of IT applications and the Discover application. The tool helps organizations to implement programs around zero trust.Â
What Differentiates AI and ML Models for Threat Detection Offered by Cybersecurity Vendors?
With many EDR vendors moving from traditional Indicator of Compromise (IOC) type detection capabilities to more of a focus on Indicators of Attack (IOA), a concept which CrowdStrike helped to pioneer, next-gen solutions have become dependent on machine learning and AI algorithms designed to interpret user behavior and how systems and software are leveraged for good actions and bad actions.
What differentiates vendors and technologies in this space are three focus areas, said Etheridge. First is the data – volume, fidelity, richness, timeliness, and scale of this data in the system that will be using it to learn and make decisions. CrowdStrike collects petabytes of data, trillions of events per week in its cloud-native solution at scale, which is used to both mature the AI/ML algorithms in making decisions on potential threat activity and, as it grows the platform, become more intelligent and faster in the actions and alerts it makes.
The second variable is the quality and impact of the Data Science team. Someone has to make sense of this data – do the research, prototyping, testing and commercialization of the capability to consume this data at scale and determine what is good and what is bad.Â
Lastly, the enrichment process is critical in ensuring the appropriate context and logic is applied to the vast amounts of telemetry required for these solutions to work at scale. Having best-of-breed Intelligence integrated from Intelligence feeds, incident response services engagements, managed services offerings and other vectors allow for even higher levels of fidelity and decision making from these tools. This is what separates EDR providers in this space and what differentiates CrowdStrike in this market.
Do you think organizations are focussing more on part-time threat hunting instead of a full-fledged approach?Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!