Cyber crime has become an inevitable part of online life. From ransomware to quishing, there is a multitude of risks that come from being online. While companies are countering these malicious activities, they need to constantly evolve and improve their security to circumvent the latest cyber attacks.
Zeki Turedi, field CTO EMEA at CrowdStrike, has witnessed first-hand the rise of organised crime groups (OCGs) online. Turedi began his cyber security career working in IT for law enforcement, before joining a company that manufactured digital forensic software.
Around the time that cyber crime first began to emerge as a factor, law enforcement was still using traditional digital forensics techniques to perform incident response. However, with a widespread increase in cyber attacks in a relatively short space of time, the old techniques and technologies were no longer appropriate. As such, new digital forensic techniques were developed for incident response.
“Digital forensics has always been about finding artefacts; the fingerprints and breadcrumbs of the attacker doing something they shouldn’t be doing,” explains Turedi. “It’s still about finding those breadcrumbs to understand what the malicious actors are trying to do. This time, it’s less about the investigation of what happened after the breach and more focused around making sure we can kick out the adversary as quickly as possible before the breach.”
The nature of cyber crime has evolved since the commodification of the internet in the 1990s. Originally, in the first incarnation of the internet, it was typically lone hackers in their bedrooms seeing what they could get away with; now, it has become a vector for organised crime groups (OCGs) to exploit.
Zeki Turedi, CrowdStrike
“We have seen cyber crime groups exponentially grow, especially after Covid,” says Turedi. “Nation states are still there, but we see the same amount of nation states that we have always done. That just shows a lot of criminal organisations across the globe have realised that it’s a good way of making extra revenue and have invested in this space.”
Just as the ancient Chinese military general and philosopher Lau Tzu recommended you “know your enemy”, a key element of cyber security is threat intelligence – information concerning current cyber attacks that can be analysed to mitigate cyber security risks.
Digital forensics have become an important part of threat intelligence, as recognising known code and techniques enables security experts to identify suspected perpetrators behind a cyber attack. “Threat intelligence is taking all that knowledge and experience of protecting customers,” explains Turedi. “It’s data based on information from what we’ve been seeing, by having a global presence protecting customers across the globe and responding to incidents.”
In recent years, it has become apparent that anyone can become a target for a cyber attack. Previously, larger businesses would be targeted because of their turnover, but with the widespread availability of hacking tools and malicious services, such as ransomware-as-a-service (RaaS), and the relatively low cost of these, any organisation or individual can now be targeted and held to ransom.
Just as legitimate organisations use their profits to invest in themselves and improve their security posture, so too do OCGs, purchasing new technologies and learning cutting-edge techniques.
OCGs are now using machine learning to partially automate their attacks. Brute force attacks already do this to a lesser extent, by bombarding login portals with common passwords, but now OCGs are using automation to scan networks for known vulnerabilities that can be exploited.
OCGs are like modern-day hydras – when one head is removed, more appear to take its place. OCGs are frequently distributed entities that may coordinate their actions with other OCGs and share the access permissions they have gained.
The international nature of cyber crime is a further challenge that makes it difficult to track down OCGs. Although there has been some success in arresting high-profile criminals, it is unlikely they will ever all be caught.
“A lot of these criminal groups aren’t single groups, they are multiple groups working together,” explains Turedi. “You have one group that develops ransomware-as-a-service, you then have another group that creates another toolset, and a different group altogether that actually puts all the pieces together and targets a certain organisation. We even see separation between groups that will initially target a company and gain access, then sell that access off to another criminal group, who will then do the ransomware and exfiltration.”
Following Covid, there has been an increase in cyber crime. With more people connecting to corporate networks due to remote working, OCGs seized the opportunity to exploit this trend.
“There were quite a lot of opportunities when companies were struggling to sort themselves out after lockdown,” recalls Turedi. “We saw a lot of new criminal groups appear during that time and use that opportunity. We saw them take that reward and reinvest in themselves.”
There has also been a shift in attack methodologies. Just as organisations are now using multi-factor authentication (MFA) to counter the weaknesses in passwords, OCGs are attempting to bypass MFAs. Malicious actors are posing as legitimate employees and contacting helpdesks to divert secondary access permissions and thereby gain access to sensitive networks.
It has been estimated by Turedi and CloudStrike that on average it can take a malicious actor 37 minutes to move through a system. This has become a critical time for incident response because once the malicious actor is able to jump to another part of the network, the entire network has been compromised.
“The second an adversary is moving laterally through an organisation, they start rapidly crossing the network and it becomes a ‘whack-a-mole’ situation,” says Turedi. “It’s easy to defend an organisation from the world’s best threat actor when they’re on a single device – you can simply shut it down and walk away. You could have the best nation-state [hackers] in the world and be a single responder, but if you can get there quick enough, you can stop them. The second they start moving laterally, that means they’ve got credentials and they’ve got access to the network.”
“The second an adversary is moving laterally through an organisation, they start rapidly crossing the network and it becomes a ‘whack-a-mole’ situation”
Zeki Turedi, CrowdStrike
As such, having a swift incident response time is critical for organisations to prevent a security incident from occurring. Responding while the malicious actor is still contained within the first system means the system can be shut down, blocking the malicious actor from spreading further throughout the corporate network and ensuring it has not been compromised.
Unfortunately, having a dedicated security team with a comprehensive skillset and toolset can be expensive. Investing in security can also divert resources from an organisation’s core service, potentially losing some of its competitive advantages.
One way to circumvent this is by partnering with a security organisation, thus enabling organisations to maintain a robust security posture while still investing in their products or services. Through a security audit, a security partner can identify the core business needs and what is of most value, and how they can be best protected to ensure continued operations.
While the current economic climate may predicate minimising expenditure, partnering with a security company is something that needs to be conducted at the beginning, rather than towards the end of development. With a security partner involved from the outset, they can ensure system architecture is inherently protected and a secure-by-design methodology is followed.
If a security partner is only brought in towards the end of a project, there is only so much security that can be integrated without incurring costly revisions and further extending development time. There may also be core issues within the foundational architecture that mean it is inherently vulnerable to attack.
“Where we have problems is when security is an afterthought. That’s where we end up ‘Sellotape and gluing’. They have gaps that the adversary makes use of,” says Turedi. “When we take security to the beginning, and have that ‘security-first’ mindset, those gaps don’t appear.”
Despite the rising number of OCGs and the prevalent threat of ransomware and phishing scams, Turedi remains confident. Just as OCGs have invested in their cyber attacks, so too have security organisations evolved their protection systems.
Every cyber attack leaves vital information. Digital forensics can gain data for informing their threat analysis. The subsequent insight gleaned from the threat analysis will enable a more robust security posture against future cyber attacks. Being able to rapidly respond to a security incident ensures that it can be contained and not become a security breach.
“We’re up against time when it comes to the more sophisticated threat actors. That time window is really important,” says Turedi. “If we know how quick the adversary is, we now know how quick we need to be. It’s not just about how quick the technology will be, but how quick the internal processes are.”