Research in CrowdStrike’s 2021 Global Threat Report highlights that eCrime attacks made up 79% of all intrusions (via hands-on-keyboard activity) in 2020 — uncovered by analysis from dedicated threat hunters. Additionally, this research and official sources made clear that nation-state cyber adversaries infiltrated networks to steal valuable data seeking Covid-19 vaccine research, along with other intellectual property, throughout the year. In fact, 2020 was notable because analysis showed that threat actors improved their strategies to evade detection and camouflage within victims’ networks for long periods of time.
As well as adversaries showing many signs of becoming more sophisticated, they are rising in numbers. The number of tracked activity clusters under active monitoring increased to 24, and 19 newly named adversary groups brought the total of globally tracked actors to 149. 2020 was definitely a more dangerous cyber world than 2019, and suggests that cyber adversaries started 2021 in a strong position.
Creating and rolling out an effective cyber security strategy
The threat landscape facing legitimate organisations
The pace of targeted intrusions did not slow in 2020. Chinese adversaries targeted telecommunications, with WICKED PANDA having another prolific year, despite indictments against individuals associated with their operations. Adversaries from the Democratic People’s Republic of Korea (DPRK) sustained currency-generation efforts. The blending of eCrime and targeted intrusion tactics previously associated with these North Korean actors and some Russian adversaries was also observed from Iran-nexus PIONEER KITTEN.
The biggest challenge (by volume of activity) isn’t from state actors, however — it’s from eCrime groups spreading ransomware in what has grown into a huge and lucrative part of their illegal modus operandi. It is these groups who have really innovated and introduced increasingly damaging tactics, techniques and procedures.
TWISTED SPIDER’s adoption of data extortion tactics was demonstrated in early 2020, and proved a pioneer for eCrime actors to pursue to capitalise on ransomware infections. In retrospect, it’s clear that this was a preview of what would become an explosion of not only similar activity, but also rising standards for ransom demands throughout the year. The allure of big game hunting (BGH — ransomware campaigns aimed at high-value targets) dominated the ecosystem of eCrime enablers, spurring the market for network access brokers. BGH trends also disrupted traditional targeted eCrime behaviour, as seen by CARBON SPIDER’s shift from the targeting point-of-sale systems to join the BGH ranks. WIZARD SPIDER, a BGH actor and established eCrime ‘megacorp’, sustained their high-tempo operations to become the most reported eCrime adversary for the second year in a row.
This accelerated adoption of data extortion combined with the introduction of dedicated leak sites (DLS), associated with specific ransomware families. These approaches have been adopted by at least 23 ransomware operators in 2020. Now, organisations might be forced to pay to avoid their data being leaked, if they felt they could forgo the ransom and restore their business operations from existing clean backups. Or worse yet, organisations would have to pay both the ransom to restore their business operations as well as an additional payment to avoid their data being leaked. This way, the adversaries increase the odds that one of their tactics will force a payout.
UK businesses subjected to 2,000 new cyber attacks daily in Q1 2021
Threat intelligence helps right-size defence to fit the threat
Threat intelligence helps organisations prepare a defence against the most likely adversaries gunning for them, and enables threat hunters to spot the signs of breach and eject infiltrators from the network by their recognisable signs. It’s the only way to properly use security teams in the most effective way. When known threat groups with recognisable behaviours are doing the majority of targeted intrusions, it makes sense to know how to spot their signs.
Nearly four out of five interactive intrusions are being driven by eCrime actors. It’s imperative that these adversary groups secure the majority of attention when it comes to setting up strong defences. That’s not to say that targeted intrusions driven by state-sponsored groups should be ignored — but it is a lower relative risk. That said, the overall numbers of both targeted and eCrime intrusions were significantly larger last year than in 2019.
It’s vital to raise alert levels if you are within an industry with higher risk levels. CrowdStrike Intelligence identified the highest number of ransomware operations within the industrial and engineering sector (229 incidents), closely followed by manufacturing (228 incidents). Then, tech, retail, healthcare, financial services, professional services, government, logistics, and legal round out the top ten industries targeted by data extortion related to BGH operations.
How to make cyber security intelligence-driven for a more proactive cyber defence
To maintain up-to-date threat intelligence means the security team can better understand a threat actor’s motives, targets, and attack behaviours. The organisation can make faster, more informed, data-backed security decisions and change behaviours from reactive to proactive in the fight against threat actors.
In many cases, in addition to threat intelligence, we recommend employing an external fully managed cyber security services team that can not only perform threat intelligence but also incident response, threat hunting, endpoint recovery services and proactive monitoring to shore up any gaps in security where businesses are either extremely limited or want a further extension to their security team.
Cloud-based security solutions such as endpoint detection and response have changed the game in this regard. Threats can be tracked around the world, analysed, and that information given to customers in real-time. As attacks move, defenders can use the scale and speed of cloud security to know what the risks are and ensure they keep employees, data, and the corporate network safe — wherever any of those parts may be.
Written by Adam Meyers, senior vice-president of intelligence at CrowdStrike.