Rawad Sarieddine, senior director at cybersecurity and threat response services firm CrowdStrike, delves into the growing threat landscape and shares insights into how organisations can turn the tables against the bad guys by effectively tracking threats in the cyber hunting ground.
Every year organisations from across the world are increasing their security budgets to invest hundreds of billions of dollars into the latest cybersecurity products, services, and training. Yet, cyber-attacks and data breaches persist and remain a regular occurrence.
A recent study by Cybersecurity Ventures revealed that cybersecurity spending is expected to exceed $1 trillion by 2021. However, it also noted that annual global losses from cyber-attacks are expected to hit $6 trillion by the same year.
These concerning figures show how current cybersecurity models are becoming inept and outdated. Many security strategies are still only focused on building up perimeter defences and deploying solutions that are aimed at stopping malware. All the while, adversaries are growing more sophisticated and disruptive, outpacing the advancements in defence technologies, processes and policies.
Among the latest threats permeating in the cyber landscape today is malware-free attacks.
Malware-free attacks execute malicious scripts by piggybacking on legitimate software packages.
“Typically, malware-free compromises involved taking a legitimate process, that is part of the operating system, hijacking it in some way and causing it to perform nefarious tasks at the bidding of the threat actor,” says Rawad Sarieddine, senior director, CrowdStrike.
“One method might be to inject some malicious code, allowing the hacker to take control of the process, or to simply use a browser or application to connect to command and control servers outside the organisation,” he explains.
Following this, the attacker is free to take a variety of actions – downloading malicious content, creating backdoors to return later, or begin exfiltrating data at their leisure.
A good example of this attack is the notorious Equifax breach in late 2017, which saw huge numbers of records compromised. Cybercriminals accessed the details of about 150 million consumers, across the US, UK and Canada.
The breach entailed hackers exploiting a command injection vulnerability by remotely executing a malicious code that allowed them to manipulate an open-source enterprise software called Apache Struts.
“Unfortunately, these kinds of attacks are becoming increasingly common and we can see more incidents like this happening in the future as fraudsters look for new ways to circumvent cyber defences,” says Sarieddine.
According to Sarieddine, while legacy technologies and solutions such as antivirus, application control, whitelisting, Indicators of Compromise (IOCs) and sandboxing are still critical components for staying secure, they are simply no longer enough.
“Given today’s threat landscape, enterprises need to re-think what measures they can put in place to protect themselves against these new breeds of attacks.”
Sarieddine encourages them to use next-gen cybersecurity solutions that focus on stopping the breach, not just viruses and malware like in legacy solutions. “These kinds of solutions will give them a comprehensive view of the entire spectrum of attack tactics, techniques and procedures (also known as ‘TTPs’).”
More than employing the latest tools and solutions in the market, Sarieddine also encourages organisations to shift their security approach from being reactive to a proactive one.
“Enterprises can no longer rely on passively deployed technology alone to combat modern threats,” he says.
“To prevent any kind of breach, proactively hunting for threats, investigating leads and examining behaviours that evade common security tools are vital in providing a last line of defence for organisations of all sizes.”
Currently, the most common threat detection processes and technologies are still passive in nature. While they leverage automated tools, behavioural analytics and machine learning, they are mostly based on static rule sets, which still open risks of threats slipping through the cracks.
“Threat hunting transforms an organisation into one that has an active detection mindset that embraces the human element in proactively looking for anomalies, suspicious behaviours and clues to uncover the stealthiest of attackers,” explains Sarieddine.
Proactive threat hunting process entails searching and discovering cyber threats — regardless of whether they have reached unexploited network vulnerabilities or have already bypassed defense solutions. It requires having a practical understanding of cyber threats, strong critical thinking, and problem-solving skills together with technical expertise.
“A modern well-established threat hunting function instantly amplifies the security capabilities of organisations,” says Sarieddine. “This is because this process augments the detection and protection offered by existing security teams, providing valuable insights and context and reducing alert fatigue, allowing organisations to outmatch sophisticated human attackers and insider threats.”
Sarieddine points out that while proactive threat hunting tools leverage some levels automation in the detection and response processes, by integrating machine learning and cloud analysis, the human factor plays an essential role in augmenting these capabilities.
“This element, the human expertise, is crucial because much of the proactive hunting relies on human interaction and intervention,” he explains.
Another key element for the success of a threat hunting strategy is threat intelligence. It provides valuable context, by cross referencing organisational data with external regional and global threat trends.
“By assessing premium threat intel feeds, organisations can benefit from gleaning insights from a large pool of crowdsourced attack data,” says Sarieddine. “This will help them in deriving the right context to alerts, weeding out false signals and focus on relevant leads. It will also enable them to deploy the appropriate indicators to security devices for preventing successful cyber intrusions.”
Despite its discernible benefits and companies increasingly acknowledging the need to adopt proactive cyber threat hunting practices, many are struggling to adapt.
There are two main reasons why organisations become unsuccessful in building their own threat hunting practice, according to Sarieddine.
“Firstly,” he says, “many organisations find maintaining a high-quality, round-the-clock threat hunting operation as well as finding the right talents are prohibitively expensive.
“Second is the lack of visibility and access to comprehensive threat data, which make hunting teams oblivious of the global trends and keep them in the dark,” he explains.
Employing managed threat hunting services can pave the way to filling these critical gaps that enterprise security teams face. “We invite CISOs to partner with strong threat hunting providers that are equipped with top talent and global visibility of threat landscape, in their journey to build these capabilities in-house,” he says.
“They need to look for a threat hunting partner that has an ample and adept human capital, the ability to gather and store wealth of threat data and access to comprehensive threat intelligence.”
CrowdStrike has been at the forefront of this market need for many years. It has a dedicated and holistic cybersecurity solution that offers prevention and endpoint detection and response (EDR) called Falcon Complete.
“This comprehensive offering is complemented with a managed threat hunting service manned by world-class threat hunters,” says Sarieddine.
“CrowdStrike Falcon OverWatch brings together all three prongs in a 24/7 security solution that proactively hunts, investigates and advises on threat activity in an organisation’s environment.
He adds that Falcon Overwatch constantly looks into millions of indicators with weak signals and silent detections, that are guaranteed to fly under the radar of traditional endpoint protection and EDR solutions.
In the Middle East, enterprises are increasingly employing the expertise of managed cybersecurity services, with 57 percent of the region’s organisations using MSS providers, according to a recent study by SANS Institute.Furthermore, rapidly emerging nations like the UAE are showcasing strong demands for proactive threat hunting as regional firms constantly update their cybersecurity measures.
“We foresee high demands for pure threat hunting technologies, services and talents in the coming years,” says Sarieddine. “CrowdStrike is uniquely positioned to meet these future demands from regional firms. As we continue to invest in the latest innovations and develop industry best practices in threat hunting and in cybersecurity as a whole, we believe we will play a pivotal role in enabling Middle East firms build strong and resilient cyber defences.”