As an ever-increasing number of organisations - of any size and in any industry - can attest, cybersecurity incidents and breaches can leave significant organisational damage and business disruption in their wake.
The UK in particular is on the front line for cyberattacks. Speaking at the CYBERUK conference, GCHQ Director Jeremy Fleming made a case for a "national effort" to improve the UK’s cyber security, highlighting that the amount of intellectual property and personal data we hold makes us a key target for threat actors. And within our current tumultuous geopolitical climate, this will come as no surprise. The question is how to respond.
Currently adversaries are focused on infiltrating UK businesses, and organisations need to keep up with new ways of threat detection and prevention if they want to stay safe from newly evolving threats. Enterprises need to start with the assumption that someone may already be within their perimeter and instigate a workback plan to outline the necessary steps needed to remediate such threats from their environment as nefarious lurking and attacking again.
We know that security should be top-of-mind in any business, especially given the fragility of the information-led world we live in today. If not adequately protected, businesses can leave themselves open to a variety of potential risks - from eCrime and targeted spear-phishing campaigns, to rising nation-state activities, targeting dissidents, regional adversaries and foreign powers looking to collect intelligence for decision makers.
In today’s landscape, the propagation of advanced exploits and easily accessible tools has led to the blurring of tactics between statecraft and tradecraft. Adversaries are constantly adapting their tactics, techniques and procedures (TTPs), so too must our tactics to defend against them, as currently it is evident that traditional approaches to security aren’t up to scratch to deal with the latest wave of sophisticated threats.
Maintaining a clear overview of current threats and trends
Over the past year, we have observed the speed and sophistication of adversary tactics, techniques and procedures increase at a rapid pace. Our recent Global Threat Report noted the breakout speeds of Russian, Chinese, North Korean and Iranian adversaries, highlighting what many defenders already know - we are in a veritable "arms race" for cyber superiority, where any of these players can easily become the next superpower. The fastest to breakout of an initial cyber-intrusion and start spreading further into an enterprise was Russia, in 18 minutes 48 seconds on average.
We know the role defenders play in the cyber arms race. Look no further than the regular news cycle reporting on everyday brands and international powerhouses being targeted by adversaries, leaving hundreds of thousands of instances of user data or finances being stolen.
In the past, we have documented cases where bad actors target an organisation with strong defense techniques in their environment, fail, and simply go back to the drawing board, adding new weapons to their cyber arsenals as they look for a novel, less defended points of entry. This has only highlighted the importance of reacting to threats in real-time and staying ahead of the rapidly evolving threat landscape. Organisations need cyber security tools that provide teams with visibility over the entire technology stack to counter all kinds of threat.
Engaging best practices for the entire organisation
It is essential for security teams to have an in-depth knowledge on the current threat climate, key trends, and the tactics, techniques and procedures deployed by adversaries on a daily basis.
Understanding the threat landscape, not only from a UK perspective, but also on a global scale, is a valuable perspective for all organisations considering how to defend themselves - and from whom.
Looking at this from a more strategic perspective, it helps security teams learn and develop the scope to create new hunting and detection methodologies - which in turn increases investigation efficiency against persistent cyber adversaries.
One of the key metrics we track at CrowdStrike for all intrusions is breakout time - the time it takes for an intruder to begin moving laterally outside of the initial bench head to other systems in the network. The current average for this last year was four hours and 37 minutes. This quickly becomes a valuable metric for security teams when responding to an incident. They should strive to achieve before an intruder can cause serious damage to their network.
During an incident, clients want investigations to move quickly and offer insights about what mitigation strategies will be most effective. These needs can be neatly summarised by the 1-10-60 rule, where organisations should strive to detect malicious intrusions in under a minute, understand the context and scope of the intrusion in 10 minutes, and initiate remediation activities in less than an hour.
Remediating incidents before attackers can move laterally is essential for effective response, and both c-suite and technical teams should understand their roles in supporting incident responses to coincide with these timescales. Organisations need to be ready, as the reality in today’s threat landscape maintains the view that a cyberattack is not a question of if, but when an attacker will bypass our current security means.
Looking forward - what can we expect?
Traditionally, larger organisations have greater resources such as budget and manpower allocated for security teams and cyber defence solutions - however this does not mean that they are immune to breaches. Next-generation solutions including behavioural analytics and machine learning capabilities can detect both known and unknown threats by their suspicious behaviours, offering a vital lifeline for security teams to gain full visibility of their current landscape. They can then know when to detect and eject an adversary before breakout occurs.
To cope with the volume and variety of threats of threats organisations face, they must understand their entire technology stack and have visibility into what they actually have in their environment. Being able to automate their response and detection capabilities for all kinds of threats is key as adversaries will adapt their strategy and so must organisations, in real-time.
Through innovation and momentum within the cyber security sector, there has been an increase in products readily available to help organisations protect themselves from these pressing and concerning threats. All that is left is for businesses to adopt, integrate and operationalise these into their infrastructure, before it is too late. By adopting metrics like the 1-10-60 rule, organisations can set themselves up to measure their effectiveness against the worst adversaries out there.
Written by John Titmus, Director EMEA, CrowdStrike.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.