Threat Management

Nation state cyber-attacks on the rise – detect lateral movement quickly

The volume and intensity of cyber-attacks hit a new high in 2017 alongside the increasing level of sophistication of hacks from cyber-criminals and nation state actors, according to a new report.

In the 2018 CrowdStrike Global Threat Report: Blurring the Lines Between Statecraft and Tradecraft report, the company said that there was a “fundamental levelling of the playing field between highly skilled — and typically well-funded — nation-state adversaries and their less sophisticated criminal and hacktivist counterparts”. One of the biggest contributors to this levelling up was the “trickle-down effect” present in the cyber-threat arena.

“The idea of trickle-down is not new. In fact, it's precisely how state-sponsored R&D programmes are supposed to work: Governments fund development of sophisticated technologies and those eventually get transferred out to the private sector as products and services,” said George Kurtz, co-founder of CrowdStrike in a blog post.

He said this was certainly the case with WannaCry and EternalBlue.

“The result of trickle-down in the field of cyber-security has been a proliferation of highly sophisticated weaponry for cyber-warfare being pushed down into the mass market and commoditised,” said Kurtz. “The consequences to legitimate organisations have been alarmingly clear. What makes these attacks so effective is that they are essentially immune to the traditional endpoint defence technologies that most organisations have relied on for the past 20 or more years.”

The report found that last year saw 39 percent of all attacks carrying out malware-free intrusions that were not detected by traditional antivirus, with the manufacturing, professional services and pharmaceutical industries facing the most malware-free attacks.

The report also said that it takes an intruder an average of one hour and 58 minutes to begin moving laterally to other systems in the network. Extortion and weaponisation of data have become mainstream among cyber-criminals, heavily impacting government and healthcare, among other sectors.

The report noted that nation state-linked attacks and targeted ransomware are on the rise and could be used for geopolitical and even militaristic exploitation purposes.

Adam Meyers, VP of Intelligence at Crowdstrike told SC Media UK in an interview that this lateral movement is called “Breakout time”.

“Large government and private enterprises should be able to do three things to effectively thwart an adversary on their IT networks: detect if there's an attack in progress in about a minute; investigate that threat in about 10 minutes; and clean up that invasion within an hour. Proper defence against sophisticated adversaries calls for a multi-layered approach of people, processes and technology. Your business needs to have the proper next-generation tools to thwart bad actors and unknown threats, while human element is also needed to monitor threat activity within your IT network,” he said.

He warned that there is no single magic bullet that will effectively rid your IT system of cyber-threats, nation-state or otherwise. 

“Better cyber-protection calls for an approach that uses the most advanced security tools and proactive tactics to increase security posture. Some of these include implementing next-generation antivirus, patching regularly, applying behavioural-based detection and augmenting analytics with artificial intelligence (AI)/machine learning. We see the cloud as a game-changer that enables us to create more adaptive, scalable and automated defences against today's threats,” he said.

Ross Rustici, senior director of intelligence services at Cybereason, told SC Media UK that as hackers converge on a universal skill set and capabilities that looks very similar to nation state activity from four to five years ago our entire approach to security needs to change. 

“There is no silver bullet technology or mitigation package that will make a network completely safe. Rather, the defenders need to adopt a spoiler mindset. A two-hour dwell time on an endpoint results in significant opportunity to detect some malicious activity on that one system. 

“Furthermore, there are dozens of things that can be done to shape how and when a hacker conducts their lateral movement. Companies literally own the battlefield when it comes to cyber-security. They need to spend more time architecting their networks to create paths of least resistance that hackers are likely to default to that lead to non-critical networks and places of high visibility for defenders to allow for the identification and eradication of the intrusion. Viewing mitigation through the lens of stopping malware and scripts only reinforces a defensive strategy that results in alert fatigue and critical failures,” he said.

Corey Nachreiner, CTO at WatchGuard Technologies, told SC Media UK that in order to defend against lateral movements in an internal network a flat network should not be used.

“They should use their network security solution to segment their internal trusted network into trust groups. For example, engineering separate from marketing, separate from the IT servers, separate from IoT, separate for POS systems, etc,” he said.

“That way, the network security control can inspect all inter-trust zone traffic using things like IPS and advanced malware protection. Even though you do allow traffic through these different zones, IPS and antimalware services might detect some of the lateral movement. Second, you need to use endpoint detection and response tools to detect when malicious processes and events happen on other machines in your network.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.