There’s a continued proliferation of ransomware, heightened concerns around nation-state actors, and the need for acceleration of both digital and security transformation, a CrowdStrike survey reveals.
Proliferation of ransomware leads to more frequent payouts, costing millions
Survey data indicates ransomware attacks have proven to be especially effective, as 56% of organizations surveyed have suffered a ransomware attack in the last year. The COVID-19 pandemic catalyzed increasing concerns around ransomware attacks, with many organizations resorting to paying the ransom.
The global attitude shifts from a question of if an organization will experience a ransomware attack to a matter of when an organization will inevitably pay a ransom. Notable findings include:
- Concern around ransomware attacks continues to increase, with the stark increase in this year’s findings (54%) compared to 2019 (42%) and 2018 (46%).
- 71% of cybersecurity experts globally are more worried about ransomware attacks due to COVID-19.
- Among those hit by ransomware, 27% chose to pay the ransom, costing organizations on average $1.1 million USD owed to hackers.
- The APAC region is suffering the most when paying the ransom with the highest average payout at $1.18 million USD, followed by EMEA at $1.06 million and the U.S. at $0.99 million.
Fear of nation-state cyberattacks can stifle business growth in post COVID-19 world
Nation-state activity continues to weigh heavily on IT decision makers, as 87% of respondents agree that nation-state sponsored cyberattacks are far more common than people think.
As growing international tensions and the global election year have created a nesting ground for increased nation-state activity, organizations are under increased pressure to resume operations despite the increased value of intellectual property and vulnerabilities caused by COVID-19. Key highlights include:
- Even with the massive rise in eCrime over the course of 2020, 73% believe nation-state sponsored cyberattacks will pose the single biggest threat to organizations like theirs in 2021. In fact, concerns around nation-states have steadily increased, as 63% of cybersecurity experts view nation-states as one of the cyber criminals most likely to cause concern, consistently rising from 2018 (54%) and 2019 (59%).
- 89% are fearful that growing international tensions (e.g. U.S.-China trade war) are likely to result in a considerable increase in cyber threats for organizations.
- Approximately two in five IT security professionals believe a nation-state cyberattack on their organization would be motivated by intelligence (44%) or to take advantage of vulnerabilities caused by COVID-19 (47%).
Digital and security transformation accelerated as business priority
In the wake of these threats, cybersecurity experts have accelerated their digital and security transformation efforts to address the growing activity from eCrime and nation-state actors.
While spend on digital transformation continues to trend upward, the COVID-19 pandemic accelerated the timeline for many organizations, costing additional investment to rapidly modernize security tools for the remote workforce. Security transformation rollout findings include:
- 61% of respondents’ organizations have spent more than $1 million on digital transformation over the past three years.
- 90% of respondents’ organizations have spent a minimum of $100,000 to adapt to the COVID-19 pandemic.
- 66% of respondents have modernized their security tools and/or increased the rollout of cloud technologies as employees have moved to work remotely.
- 78% of respondents have a more positive outlook on their organization’s overarching security strategy and architecture over the next 12 months.
“This year has been especially challenging for organizations of all sizes around the world, with both the proliferation of ransomware and growing tensions from nation-state actors posing a massive threat to regions worldwide,” said Michael Sentonas, CTO, CrowdStrike.
“Now more than ever, organizations are finding ways to rapidly undergo digital transformation to bring their security to the cloud in order to keep pace with modern-day threats and secure their ‘work from anywhere’ operations.
“Cybersecurity teams around the globe are making strides in improving their security posture by moving their security infrastructure to the cloud and remaining diligent in their incident detection, response and remediation practices.”
The custom offering, Malwarebytes Remediation for CrowdStrike, integrates with CrowdStrike’s Falcon endpoint protection platform, providing industry-leading automated malware remediation.
When used together, Malwarebytes Remediation for CrowdStrike and the CrowdStrike Falcon platform provide a comprehensive solution for preventing a compromised device from becoming a full-scale breach.
“Being able to scan and remediate without impacting business operations is something that has been a serious challenge for organizations and is essential for business continuity,” said Marcin Klecynski, CEO of Malwarebytes.
“This integration with CrowdStrike enables us to fortify cybersecurity for their largest enterprise customers by providing our renowned remediation capabilities alongside CrowdStrike’s Falcon platform. This integration minimizes business downtime during an attack by automating remediation and neutralizing attacks promptly.”
Malwarebytes Remediation for CrowdStrike detects and remediates malware, exploits, ransomware, adware, PUPs, PUMs, and other cyberthreats while integrating seamlessly into existing security operations center (SOC) operations.
Malwarebytes delivers the built-in intelligence and automation that SOCs need to efficiently handle an ever-growing workload of alerts, malware and other attack vectors without advanced manual analysis, dramatically reducing workloads.
Malwarebytes Linking Engine finds and removes linked artifacts while Malwarebytes Remediation Engine provides automated, advanced remediation that thoroughly removes detected infections and unwanted programs.
These two engines enable SOC teams to quickly and easily remediate Windows workstations and servers with a dissolvable agent that helps maintain end-user productivity to ensure business continuity efficiently removing issues without creating a drag on systems.
Malwarebytes Remediation for CrowdStrike will be offered directly from Malwarebytes sales professionals or authorized channel partners.
CrowdStrike announced the new CrowdStrike Falcon X Recon module that will provide customers an increased level of situational awareness through the deep, broad collection of data from digital sources. Falcon X Recon will help uncover potential malicious activity so security teams can better protect their brand, employees and sensitive data.
CrowdStrike Falcon X Recon is designed to go beyond the dark web to include forums with restricted access on the deep web, breach data, source code repositories, paste sites, mobile greyware stores, unsecured cloud storage, public social media posts and messaging apps.
In today’s evolving threat landscape, malicious actors may use one or more of these resources to more effectively target their victims and monetize their efforts. These sites are virtual watering holes, where adversaries congregate and underground digital economies thrive.
Falcon X Recon is being introduced to proactively collect and inform CrowdStrike customers about fraudulent activity, stolen data, threats to enterprises, and identified exploits and tools in the adversaries’ arsenals.
Falcon X Recon will automate the collection of data from thousands of forums, marketplaces, messaging platforms and more, bringing scalability to network defenders so they can stay ahead of threats. By delivering situational awareness with relevant, real-time warnings, organizations can instantly identify data exposure and threats to the enterprise.
“Falcon X Recon is an important addition to our CrowdStrike Intelligence product suite. It will advance organizations along the threat intelligence maturity curve to go beyond threat feeds generated from past attacks,” said Adam Meyers, senior vice president of Intelligence, CrowdStrike.
“With the addition of Falcon X Recon, CrowdStrike will broaden its delivery of automated industry-leading threat intelligence, allowing companies to more easily find that needle in the haystack.”
Falcon X Recon provides the following features:
- Data collection: At the heart of Falcon X Recon is a deep and broad collection of data from the cyber underground. Users will be able to quickly search and automatically monitor in real-time thousands of clandestine forums, markets, paste sites, messaging and chat rooms.
- Situational awareness (SA) dashboards: This unified control center is designed to provide visibility into alerts that are the most relevant to the organization. The dashboards contain high-priority alerts and trends, and enable users to drill down into additional details. Custom dashboards can also be created by users to track and monitor the threats that are the most relevant to their remediation and response activities.
- Universal search: This feature will enable users to perform on-demand searches across all licensed modules of the Falcon platform, returning results in easy-to-read cards where users can view the original threat actor posts with additional context about the actor and the site. In addition, results will be automatically translated from many other languages using augmented translation with hacker slang dictionaries.
- Selectors: These define important information about an organization, including its executives and assets. Users will be immediately alerted when a selector matches with information found in the hidden web.
Falcon X Recon will join CrowdStrike’s award-winning family of threat intelligence solutions. Built on the CrowdStrike Falcon platform, CrowdStrike Falcon X brings endpoint protection to the next level by combining malware sandboxing, malware search and threat intelligence into an integrated solution.
Falcon X Premium adds threat intelligence reporting and research from CrowdStrike experts — enabling organizations to get ahead of nation-state, eCrime and hacktivist attacks.
Under the terms of the agreement, CrowdStrike will pay approximately $96 million to acquire Preempt Security, subject to adjustments. The acquisition is expected to close during CrowdStrike’s fiscal third quarter, subject to customary closing conditions.
Customers are actively looking for effective technologies that enhance their abilities to detect advanced adversaries that leverage identity-based attacks to move laterally across the network, including insider threats.
Together, CrowdStrike and Preempt will provide a modern zero trust security architecture and threat protection to keep organizations’ users, endpoints, and data safe from modern attacks, without compromising productivity or the user experience.
Combining workload security with identity protection is foundational for establishing true zero trust environments. With this acquisition, CrowdStrike plans to offer customers enhanced zero trust security capabilities and strengthen the CrowdStrike Falcon platform with conditional access technology.
The addition of Preempt’s technology to the CrowdStrike Falcon platform will help customers achieve end-to-end visibility and enforcement on identity data.
As organizations continue to operate in hybrid work environments and focus on digital transformation, the need to establish a modern zero trust security environment at scale has never been greater.
According to Forrester, “With the loss of a physical perimeter in protecting applications and data from external and internal threats, the ‘people’ domain of Zero Trust eXtended (ZTX) is one of the most dynamically changing and growing areas.”
“Hybrid work environments will become the norm for many organizations which means that zero trust security with an identity-centric approach and detecting threats in real-time are critical for business continuity.
“With the addition of Preempt Security’s capabilities, the CrowdStrike Falcon platform will provide enhanced protection against identity-based attacks and insider threats,” said George Kurtz, co-founder and chief executive officer of CrowdStrike.
“Combining Preempt’s technology with the CrowdStrike Falcon platform will help customers achieve end-to-end visibility and enforcement through identity, behavior and risk-based decisions to stop attacks in real time.”
“We are thrilled about joining CrowdStrike, the industry leader in stopping breaches that shaped modern endpoint security and pioneered the Security Cloud,” said Ajit Sancheti, Preempt’s co-founder and chief executive officer.
“Combining Preempt’s identity security expertise with CrowdStrike’s incredible scale and threat telemetry, we will be able to offer customers complete protection for hybrid workloads and remote workforces wherever they are.”
Founded in 2014 by Ajit Sancheti and Roman Blachman to deliver a modern approach to authentication and securing identity, Preempt delivers the market’s first Zero Trust and Conditional Access solution for continuously detecting and preempting threats based on identity, behavior and risk.
Preempt’s patented technology empowers enterprises to optimize identity hygiene and stop attackers and insider threats in real-time before they can impact business.
Under the terms of the agreement, CrowdStrike expects to pay approximately $86 million in cash (excluding expenses and other adjustments) and $10 million in stock and options subject to vesting conditions.
The proposed acquisition is expected to close in CrowdStrike’s fiscal third quarter 2021, subject to customary closing conditions. CrowdStrike is not updating its guidance for the third quarter and fiscal year 2021 that was provided on September 2, 2020 as a result of this transaction.
CrowdStrike has released an annual report that reviews intrusion trends during the first half of 2020 and provides insights into the current landscape of adversary tactics, which has been heavily impacted this year by the remote workforce environment of COVID-19.
The report also includes recommendations for defending against the prevalent tools, techniques and procedures (TTPs) utilized by threat actors.
“Just like everything this year, the threat landscape has proven unpredictable and precarious as eCrime and state-sponsored actors have opportunistically taken aim at industries unable to escape the chaos of COVID-19, demonstrating clearly how cyber threat activity is intrinsically linked to global economic and geo-political forces,” said Jennifer Ayers, VP of OverWatch and Security Response at CrowdStrike.
“OverWatch threat hunting data demonstrates how adversaries are keenly attuned to their victim’s environment and ready to pivot to meet changing objectives or emerging opportunities. For this reason, organizations must implement a layered defense system that incorporates basic security hygiene, endpoint detection and response (EDR), expert threat hunting, strong passwords and employee education to properly defend their environments.”
First half of 2020 hands-on-keyboard intrusion activity surpasses all of 2019
An explosion in hands-on-keyboard intrusions was observed in the first half of 2020 that has already surpassed the total seen throughout all of 2019.
This significant increase is driven primarily by the continued acceleration of eCrime activity but has also been impacted by the effects of the pandemic, which presented an expanded attack surface as organizations rapidly adopted remote workforces and created opportunities for adversaries to exploit public fear through COVID-19 themed social engineering strategies.
eCrime continues to increase in volume and reach
Sophisticated eCrime activity continues to outpace state-sponsored activity, an upward trend witnessed over the past three years, accounting for over 80% of interactive intrusions.
This does not indicate a reduction in nation-state activity, but rather reflects the extraordinary success threat actors have seen with targeted intrusions using ransomware and Ransomware-as-a-Service (RaaS) models, which have contributed to a proliferation of activity from a wider array of eCrime actors.
Targeting of the manufacturing sector increases dramatically
There was a sharp escalation of activity in the manufacturing sector in the first half of 2020 in terms of both the quantity and sophistication of intrusions from both eCriminals and nation states, making it the second most targeted vertical observed by OverWatch.
Healthcare and food and beverage also saw increased targeting, suggesting that adversaries have adjusted their targets to the shifting economic conditions resulting from the pandemic, focusing on industries made vulnerable by complex operating environments that experienced sudden changes in demand.
China continues its aim at telecommunications companies
The telecommunications industry continues to be a popular target for the nation-states, specifically China. There were six different China-based actors, whose motivations are likely associated with espionage and data theft objectives, conducting campaigns against telecommunications companies in the first half of the year.
CrowdStrike announced the expansion of support for Amazon Web Services (AWS) with new capabilities that deliver integrations for the compute services and cloud services categories. Through these expanded services, CrowdStrike is enhancing development, security and operations (DevSecOps) to enable faster and more secure innovation that is easier to deploy.
The expanded capabilities that CrowdStrike is delivering support the growing needs of today’s cloud-first businesses that are conducting business and innovating in the cloud. The CrowdStrike Falcon platform delivers advanced threat protection and comprehensive visibility that scale to secure cloud workloads and container deployments across organizations.
This enables enterprises to accelerate their digital transformation while protecting their businesses against the nefarious activity of sophisticated threat actors. The expanded support delivers customers comprehensive insight across different compute services, secure communication across deployment fleet, automatic workload discovery and comprehensive cloud visibility across multiple accounts.
“As security becomes an earlier part of the development cycle, development teams must be equipped with solutions that allow them to quickly and effectively build from the ground up the strength and protection needed for the evolving threat landscape,” said Amol Kulkarni, chief product officer of CrowdStrike. “Through our growing integrations with our strong collaboration with AWS, CrowdStrike is providing security teams the scale and tools needed to adopt, innovate and secure technology across any workload with speed and efficiency, making it easier to address security issues in earlier phases of development and providing better, holistic protection and uptime for end users.”
AWS Graviton – CrowdStrike provides cloud-native workload protection for Amazon Elastic Compute Cloud (Amazon EC2) A1 instances powered by AWS Graviton Processors, as well as the C6g, M6g and R6g Amazon EC2 instances based on the new Graviton2 Processors. With the Falcon lightweight agent, customers receive the same seamless protection and visibility across different compute instance types with minimal impact on runtime performance. CrowdStrike Falcon secures Linux workloads running on ARM with no requirements for reboots, “scan storms” or invasive signature updates.
Amazon WorkSpaces – Amazon WorkSpaces is a fully managed, Desktop-as-a-Service (DaaS) solution that provides users with either Windows or Linux desktops in just a few minutes and can quickly scale to provide thousands of desktops to workers across the globe. CrowdStrike brings its industry-leading prevention and detection capabilities that include machine learning (ML), exploit prevention and behavioral detections to Amazon WorkSpaces, supporting remote workforces without affecting business continuity.
Bottlerocket – Bottlerocket, a new Linux-based open source operating system purpose-built by AWS for running containers on virtual machines or bare metal hosts and designed to improve security and operations of organizations’ containerized infrastructure. CrowdStrike Falcon will provide run-time protection, unparalleled endpoint detection and response (EDR) visibility and container awareness, enabling customers to further secure their applications running on Bottlerocket.
BT Security has announced the key partners that it will work with going forward to provide industry-leading managed security services to customers. The decision follows BT’s largest-ever appraisal of its security suppliers, and a comprehensive review of the security vendor ecosystem as a whole.
BT’s decision to refine its security partner base was driven by the recognition that many of its customers find it difficult to navigate today’s complex security landscape.
The huge range of suppliers and products in the market can be bewildering, and lead to the adoption of multiple overlapping systems. This in turn can render security estates difficult to manage, burdened with unnecessary costs and, ultimately, with lower overall levels of protection.
BT Security is reflecting its customers’ desire to reduce complexity by having a leaner set of partners and clearly laying out its view of the best providers for specific security requirements.
The confirmed partners were agreed following a detailed evaluation of their respective capabilities across all security control and threat management technologies. The final selection provides BT’s view of the security market’s leading providers, who will support a harmonized portfolio of solutions to its customers going forward.
Kevin Brown, Managing Director of BT Security, said: “Our new security partner ecosystem showcases the benefits of BT Security as a Managed Security Services Provider. We’re able to use our deep experience and insight of the security ecosystem to help our customers navigate what can be an incredibly confusing market.
“We’re also ensuring that BT Security customers will benefit from working with the best suppliers from across the security industry.”
McAfee, Palo Alto Networks and Fortinet were selected as BT Security’s ‘Critical Partners’. Each of those companies will provide a range of services and products that will be incorporated into BT Security’s global portfolio, as well as providing holistic support to its commercial and operational activities.
BT Security will also work with these partners to develop a roadmap of security solutions which continue to reflect evolving customer demands and integrate the latest developments in security automation.
Lynn Doherty, Executive Vice President of Global Sales and Marketing at McAfee, said: “We’re proud to partner with BT to fight against cybercrime and accelerate new business environments for our customers as they look for more solution integrations, deeper engagement and faster modernization efforts.
“Together through our strategic service provider partners, like BT, McAfee is able to deliver world class security services that enable organizations to evolve their defenses into areas like Secure Access Service Edge (SASE) and Extended Detection and Response (XDR).”
Alex Zinin, VP, Global Service Provider Business at Palo Alto Networks, said: “We’ve been working closely with BT Security for several years to bring innovative cybersecurity solutions to our joint customers.
“We are honored to be selected as one of their critical partners to continue this close collaboration, in recognition of the breadth of our security capabilities across multiple market segments. This comes at a time when it’s never been more essential for communications and security to be closely aligned to help all organisations with staff working remotely.
“We look forward to working together as we strive to make each day safer and more secure than the one before.”
John Maddison, Executive Vice President of Products and Chief Marketing Officer at Fortinet, said: “Digital Innovation is disrupting all industries, markets, and segments, leading to increased risk as cyber threats take advantage of this disruption.
“To protect against known advanced threats as well as unknown sophisticated attacks, Fortinet enables organizations to apply security anywhere and protect all edges – including WAN, cloud, data center, endpoint, identity, and home – while reducing the number of required products to save costs and remove complexity.
“We’re proud to partner with BT Security to help customers address the most critical security challenges and protect data across the entire digital infrastructure.”
Microsoft, IBM and Cisco were all confirmed as ‘Strategic Partners’ for BT Security. This categorization reflects not only their relationship with BT Security, but also their broader activities and remit across the whole of BT.
BT Security also confirmed a further nine ‘Ecosystem Partners’, who will be incorporated into its global portfolio of solutions for customers due to their complementary technology capabilities. These partners are Skybox, Forescout, Zscaler, Check Point, CrowdStrike, Okta, Qualys, Netscout and F5.
Through deeper strategic relationships, BT Security and its partners will work together to provide better customer experience and protection, while those selected partners will also be BT Security’s main collaborators as they look to develop future customer solutions.
BT Security will regularly review the partnerships to monitor the latest vendor developments, while continuing to assess the wider industry for new and emergent security companies and technologies.
Endpoint protection has evolved to safeguard from complex malware and evolving zero-day threats.
To select an appropriate endpoint protection solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Theresa Lanowitz, Head of Evangelism, AT&T Cybersecurity
Corporate endpoints represent a top area of security risk for organizations, especially considering the shift to virtual operations brought on by COVID-19. As malicious actors target endpoints with new types of attacks designed to evade traditional endpoint prevention tools, organizations must seek out advanced endpoint detection and response (EDR) solutions.
Traditionally, enterprise EDR solutions carry high cost and complexity, making it difficult for organizations to implement EDR successfully. While many security teams recognize the need for EDR, most do not have the resources to manage a standalone endpoint security solution.
For this reason, when selecting an EDR solution, it’s critical to seek a unified solution for threat detection, incident response and compliance, to be incorporated into an organization’s existing security stack, eliminating any added cost or complexity. Look for endpoint solutions where security teams can deploy a single platform that delivers advanced EDR combined with many other essential security capabilities in a single pane of glass, in an effort to drive efficiency of security and network operations.
Overall, organizations should select an EDR solution that enables security teams to detect and respond to threats faster while eliminating the cost and complexity of maintaining yet another point security solution. This approach can help organizations bolster their cybersecurity and network resiliency, with an eye towards securing the various endpoints used in today’s virtual workforce.
Rick McElroy, Cyber Security Strategist, VMware Carbon Black
With the continuously evolving threat landscape, there are a number of factors to consider during the selection process. Whether a security team is looking to replace antiquated malware prevention or empower a fully-automated security operations process, here are the key considerations:
- Does the platform have the flexibility for your environment? Not all endpoints are the same, therefore broad coverage of operating systems is a must.
- Does the vendor support the MITRE ATT&CK Framework for both testing and maturing the product? Organizations need to test security techniques, validate coverage and identify gaps in their environments, and implement mitigation to reduce attack surface.
- Does it provide deeper visibility into attacks than traditional antivirus? Organizations need deeper context to make a prevention, detection or response decision.
- Does the platform provide multiple security functionality in one lightweight sensor? Compute is expensive, endpoint security tools should be as non-impactful to the system as possible.
- Is the platform usable at scale? If your endpoint protection platform isn’t centrally analyzing behaviors across millions of endpoints, it won’t be able to spot minor fluctuations in normal activity to reveal attacks.
- Does the vendor’s roadmap meet the future needs of the organization? Any tool selected should allow teams the opportunity for growth and ability to use it for multiple years, building automated processes around it.
- Does the platform have open APIs? Teams want to integrate endpoints with SEIM, SOAR platforms and network security systems.
David Ngo, VP Metallic Products and Engineering, Commvault
With millions working remotely due to COVID-19, laptop endpoints being used by employees while they work from home are particularly vulnerable to data loss.
This has made it more important than ever for businesses to select a strong endpoint protection solution that:
- Lowers the risk of lost data. The best solutions have automated backups that run multiple times during the day to ensure recent data is protected and security features such as geolocation and remote wipe for lost or stolen laptops. Backup data isolation from source data can also provide an extra layer of protection from ransomware. In addition, anomaly detection capabilities can identify abnormal file access patterns that indicate an attack.
- Enables rapid recovery. If an endpoint is compromised, the solution should accelerate data recovery by offering metadata search for quick identification of backup data. It’s also important for the solution to provide multiple granular restore options – including point in time, out of place, and cross OS restores – to meet different recovery needs.
- Limits user and IT staff administration burdens. Endpoint solutions with silent install and backup capabilities require no action from end users and do not impact their productivity. The solution should also allow users and staff to access backup data, anytime, anywhere, from a browser-enabled device, and make it possible for employees to search and restore files themselves.
James Yeager, VP of Public Sector, CrowdStrike
Decision-makers seeking the best endpoint protection (EPP) solution for their business should be warned legacy security solutions are generally ineffective, leaving organizations highly susceptible to breaches, placing a huge burden on security teams and users.
Legacy tools, engineered by on-premises architectures, are unable to keep up with the capabilities made available in a modern EPP solution, like collecting data in real-time, storing it for long periods and analyzing it in a timely manner. Storing threat telemetry data in the cloud makes it possible to quickly search petabytes of data in an effort to glean historical context for activities running on any managed system.
Beware of retrofitted systems from vendors advertising newer “cloud-enabled” features. Simply put, these “bolt-on” models are unable to match the performance of a cloud-native solution. Buyers run the risk of their security program becoming outdated with tools that cannot scale to meet the growing needs of today’s modern, distributed workforce.
Furthermore, comprehensive visibility into the threat landscape and overall IT hygiene of your enterprise are foundational for efficient security. Implementing cloud-native endpoint detection and response (EDR) capabilities into your security stack that leverages machine learning will deliver visibility and detection for threat protection across the entire kill chain. Additionally, a “hygiene first” approach will help you identify the most critical risk areas early-on in the threat cycle.
In late May, KrebsOnSecurity alerted numerous officials in Florence, Ala. that their information technology systems had been infiltrated by hackers who specialize in deploying ransomware. Nevertheless, on Friday, June 5, the intruders sprang their attack, deploying ransomware and demanding nearly $300,000 worth of bitcoin. City officials now say they plan to pay the ransom demand, in hopes of keeping the personal data of their citizens off of the Internet.
Nestled in the northwest corner of Alabama, Florence is home to roughly 40,000 residents. It is part of a quad-city metropolitan area perhaps best known for the Muscle Shoals Sound Studio that recorded the dulcet tones of many big-name music acts in the 1960s and 70s.
On May 26, acting on a tip from Milwaukee, Wisc.-based cybersecurity firm Hold Security, KrebsOnSecurity contacted the office of Florence’s mayor to alert them that a Windows 10 system in their IT environment had been commandeered by a ransomware gang.
Comparing the information shared by Hold Security dark web specialist Yuliana Bellini with the employee directory on the Florence website indicated the username for the computer that attackers had used to gain a foothold in the network on May 6 belonged to the city’s manager of information systems.
My call was transferred to no fewer than three different people, none of whom seemed eager to act on the information. Eventually, I was routed to the non-emergency line for the Florence police department. When that call went straight to voicemail, I left a message and called the city’s emergency response team.
That last effort prompted a gracious return call the following day from a system administrator for the city, who thanked me for the heads up and said he and his colleagues had isolated the computer and Windows network account Hold Security flagged as hacked.
“I can’t tell you how grateful we are that you helped us dodge this bullet,” the technician said in a voicemail message for this author. “We got everything taken care of now, and some different protocols are in place. Hopefully we won’t have another near scare like we did, and hopefully we won’t have to talk to each other again.”
But on Friday, Florence Mayor Steve Holt confirmed that a cyberattack had shut down the city’s email system. Holt told local news outlets at the time there wasn’t any indication that ransomware was involved.
However, in an interview with KrebsOnSecurity Tuesday, Holt acknowledged the city was being extorted by DoppelPaymer, a ransomware gang with a reputation for negotiating some of the highest extortion payments across dozens of known ransomware families.
Holt said the same gang appears to have simultaneously compromised networks belonging to four other victims within an hour of Florence, including another municipality that he declined to name. Holt said the extortionists initially demanded 39 bitcoin (~USD $378,000), but that an outside security firm hired by the city had negotiated the price down to 30 bitcoin (~USD $291,000).
Like many other cybercrime gangs operating these days, DoppelPaymer will steal reams of data from victims prior to launching the ransomware, and then threaten to publish or sell the data unless a ransom demand is paid.
Holt told KrebsOnSecurity the city can’t afford to see its citizens’ personal and financial data jeopardized by not paying.
“Do they have our stuff? We don’t know, but that’s the roll of the dice,” Holt said.
Steve Price, the Florence IT manager whose Microsoft Windows credentials were stolen on May 6 by a DHL-themed phishing attack and used to further compromise the city’s network, explained that following my notification on May 26 the city immediately took a number of preventative measures to stave off a potential ransomware incident. Price said that when the ransomware hit, they were in the middle of trying to get city leaders to approve funds for a more thorough investigation and remediation.
“We were trying to get another [cybersecurity] response company involved, and that’s what we were trying to get through the city council on Friday when we got hit,” Price said. “We feel like we can build our network back, but we can’t undo things if peoples’ personal information is released.”
Fabian Wosar, chief technology officer at Emsisoft, said organizations need to understand that the only step which guarantees a malware infestation won’t turn into a full-on ransomware attack is completely rebuilding the compromised network — including email systems.
“There is a misguided belief that if you were compromised you can get away with anything but a complete rebuild of the affected networks and infrastructure,” Wosar said, noting that it’s not uncommon for threat actors to maintain control even as a ransomware victim organization is restoring their systems from backups.
“They often even demonstrate that they still ‘own’ the network by publishing screenshots of messages talking about the incident,” Wosar said.
Hold Security founder Alex Holden said Florence’s situation is all too common, and that very often ransomware purveyors are inside a victim’s network for weeks or months before launching their malware.
“We often get glimpses of the bad guys beginning their assaults against computer networks and we do our best to let the victims know about the attack,” Holden said. “Since we can’t see every aspect of the attack we advise victims to conduct a full investigation of the events, based on the evidence collected. But when we deal with sensitive situations like ransomware, timing and precision are critical. If the victim will listen and seek out expert opinions, they have a great chance of successfully stopping the breach before it turns into ransom.”
Python backdoor attacks are increasingly common. Iran, for example, used a MechaFlounder Python backdoor attack against Turkey last year. Scripting attacks are nearly as common as malware-based attacks in the United States and, according to the most recent Crowdstrike Global Threat Report, scripting is the most common attack vector in the EMEA region.
Python’s growing popularity among attackers shouldn’t come as a surprise. Python is a simple but powerful programming language. With very little effort, a hacker can create a script of less than 100 lines that establishes persistence, so that even if you kill the process, it will start itself back up, establish a backdoor, obfuscate communications both internally and with external servers and set up command and control links. And if an attacker doesn’t want to write the code, that’s no problem either. Python backdoor scripts are easy to find – a simple GitHub search turns up more than 200.
Scripting attacks are favored by cybercriminals and nation states because they are hard to detect by endpoint detection and response (EDR) systems. Python is heavily used by admins, so malicious Python traffic looks exactly like the traffic produced by day-to-day network management tools.
It’s also fairly easy to get these malevolent scripts onto targeted networks. Simply include a malicious script in a commonly used library, change the file name by a single character and, undoubtedly, someone will use it by mistake or include it as a dependency in some other library. That’s particularly insidious, given how enormous the list of dependencies can be in many libraries.
By adding a bit of social engineering, attackers can successfully compromise specific targets. If an attacker knows the StackOverflow usernames of some of the admins at their targeted organization, he or she can respond to a question with ready-to-copy Python code that looks completely benign. This works because many of us have been “trained” by software companies to copy and paste code to deploy their software. Everyone knows it isn’t safe, but admins are often pressed for time and do it anyway.
Anatomy of a Python backdoor attack
Now, let’s imagine a Python backdoor has established itself on your network. How will the attack play out?
First, it will probably try to establish persistence. There are many ways to do this, but one of the easiest is to establish a crontab that restarts the script, even if it’s killed. To stop the process permanently, you’ll need to kill it and the crontab in the right sequence at the right time. Then it will make a connection to an external server to establish command and control, obfuscating communications so they look normal, which is relatively easy to do since its traffic already resembles that of ordinary day-to-day operations.
At this point, the script can do pretty much anything an admin can do. Scripting attacks are often used as the point of the spear for multi-layered attacks, in which the script downloads malware and installs it throughout the environment.
Fighting back against Python backdoors
Scripting attacks often bypass traditional perimeter and EDR defenses. Firewalls, for example, use approved network addresses to determine whether traffic is “safe,” but it can’t verify exactly what is communicating on either end. As a result, scripts can easily piggyback on approved firewall rules. As for EDR, traffic from malicious scripts is very similar to that produced by common admin tools. There’s no clear signature for EDR defenses to detect.
The most efficient way to protect against scripting attacks is to adopt an identity-based zero trust approach. In a software identity-based approach, policies are not based on network addresses, but rather on a unique identity for each workload. These identities are based on dozens of immutable properties of the device, software or script, such as a SHA-256 hash of the binary, the UUID of the bios or a cryptographic hash of a script.
Any approach that’s based on network addresses cannot adequately protect the environment. Network addresses change frequently, especially in autoscaling environments such as the cloud or containers, and as mentioned earlier, attackers can piggyback on approved policies to move laterally.
With a software and machine identity-based approach, IT can create policies that explicitly state which devices, software and scripts are allowed to communicate with one another — all other traffic is blocked by default. As a result, malicious scripts would be automatically blocked from establishing backdoors, deploying malware or communicating with sensitive assets.
Scripts are rapidly becoming the primary vector for bad actors to compromise enterprise networks. By establishing and enforcing zero trust based on identity, enterprises can shut them down before they have a chance to establish themselves in the environment.
During 2019, financially motivated cybercrime activity occurred on a nearly continuous basis, according to a CrowdStrike report.
There was an increase in incidents of ransomware, maturation of the tactics used, and increasing ransom demands from eCrime actors. Increasingly these actors have begun conducting data exfiltration, enabling the weaponization of sensitive data through threats of leaking embarrassing or proprietary information.
Moving beyond eCrime, nation-state adversaries continued unabated throughout 2019, targeting a wide range of industries. Another key trend in this year’s report is the telecommunications industry being targeted with increased frequency by threat actors, such as China and DPRK.
Various nations, particularly China, have interest in targeting this sector to steal intellectual property and competitive intelligence.
Pursuing the 1-10-60 rule
Combatting threats from sophisticated nation-state and eCrime adversaries requires a mature process that can prevent, detect and respond to threats with speed and agility. Organizations should pursue the “1-10-60 rule” in order to effectively thwart cyberthreats.
1-10-60 guidelines are the following: detect intrusions in under one minute; investigate in 10 minutes; contain and eliminate the adversary in 60 minutes. Organizations that meet this benchmark are much more likely to eradicate the adversary before an attack spreads from its initial entry point, ultimately minimizing organizational impact.
“2019 brought an onslaught of new techniques from nation-state actors and an increasingly complex eCrime underground filled with brazen tactics and massive increases in targeted ransomware demands. As such, modern security teams must employ technologies to detect, investigate and remediate incidents faster with swift preemptive countermeasures, such as threat intelligence, and follow the 1-10-60 rule,” said Adam Meyers, vice president of Intelligence at CrowdStrike.
- The trend toward malware-free tactics accelerated, with malware-free attacks surpassing the volume of malware attacks. In 2019, 51% of attacks used malware-free techniques compared to 40% using malware-free techniques in 2018, underscoring the need to advance beyond traditional AV solutions.
- China continues to focus many operations on supply chain compromises, demonstrating the nation-state’s continued use of this tactic to identify and infect multiple victims. Other targeting of key U.S. industries deemed vital to China’s strategic interests — including clean energy, healthcare, biotechnology, and pharmaceuticals — is also likely to continue.
- The industries at the top of the target list for enterprise ransomware (Big Game Hunting) observed were local governments and municipalities, academic institutions, the technology sector, healthcare, manufacturing, financial services and media companies.
- In addition to supporting currency generation, DPRK’s targeting of cryptocurrency exchanges could support espionage-oriented efforts designed to collect information on users or cryptocurrency operations and systems. In addition, it is suspected that DPRK has also been developing its own cryptocurrency to further circumvent sanctions.
“This year’s report indicates a massive increase in eCrime behavior can easily disrupt business operations, with criminals employing tactics to leave organizations inoperable for large periods of time. It’s imperative that modern organizations employ a sophisticated security strategy that includes better detection and response and 24/7/365 managed threat hunting to pinpoint incidents and mitigate risks,” said Jennifer Ayers, vice president of OverWatch at CrowdStrike.
CrowdStrike, a leader in cloud-delivered endpoint protection, announced CrowdStrike Endpoint Recovery Services at RSA Conference 2020. The new offering combines the power of the CrowdStrike Falcon platform, threat intelligence, and real-time response to accelerate business recovery from cyber intrusions.
For modern businesses, the standard lifecycle of incident recovery is often a long and expensive process involving large amounts of operational downtime and interruptions. Endpoint Recovery Services was introduced to fundamentally shift the traditional approach of how businesses recover from known security incidents.
By leveraging the power of the cloud-native CrowdStrike Falcon Platform and Threat Intelligence at the hands of CrowdStrike’s highly-experienced Services team, Endpoint Recovery Services helps customers actively remediate ongoing security threats and rapidly recover from a potential incident while minimizing business interruptions.
Endpoint Recovery Services accelerates the standard lifecycle of incident recovery, saving businesses from expensive downtime in their efforts to quickly detect, prevent and recover from known security incidents.
“Incident response recovery continues to come up as a global business issue and a market-wide problem, as organizations often fail to get back to business quickly enough in the wake of a security-related incident.
“Traditional recovery models interrupt business operations for weeks, even months, after an incident occurs, leaving many companies stranded in extended periods of downtime,” said Shawn Henry, chief security officer and president of CrowdStrike Services.
“Leveraging the power of the cloud, CrowdStrike is able to make incident recovery a quick, painless process for customers. With our innovative technology and leading group of security experts, Endpoint Recovery Services is geared to drastically reduce the average time-to-recovery, without interrupting business operations.”
Endpoint Recovery Services benefits for customers
The three-part model to recovery success: Rapid and effective incident recovery requires the combination of three functional components: technology, intelligence and expertise.
Endpoint Recovery Services combines CrowdStrike’s industry leading CrowdStrike Falcon Platform, real-time endpoint visibility from Threat Graph and experienced security analysts to ensure immediate attack disruption and comprehensive endpoint remediation. After recovery, Endpoint Recovery Services collects and retains incident triage data to prevent reinfection.
A new, streamlined model for recovery lifecycles: The initial phases of Endpoint Recovery Services are focused on understanding the incident and deploying the cloud-native Falcon platform without the need for on-premises visits or installations.
After Endpoint Recovery Services is engaged, the customer’s Falcon instance is provisioned, sensors made available for deployment, and active prevention policies are enforced immediately to stop ongoing attacks. Endpoint Recovery Services remains engaged for the remainder of the term to monitor the customer’s environment and prevent reinfection.
Targeted focus on business recovery: Over the course of last year, a massive uptick in ransomware left numerous businesses unable to operate at the most basic level. Endpoint Recovery Services rapidly stops attacks to minimize downtime and restore business operations efficiently and effectively without having to reimage or reissue endpoint devices, enabling customers to focus on recovering other critical business components.
Endpoint Recovery Services also segues seamlessly into CrowdStrike’s Falcon Complete for customers looking to transition from a fixed-term, incident-focused offering to an all-encompassing, annual service backed by an endpoint protection warranty.
“There is nothing like Endpoint Recovery Services on the market right now,” said Christopher E. Ballod, CIPP/US, CIPP/E, partner at Lewis Brisbois Bisgaard & Smith LLP. “Endpoint Recovery Services fills the vital need for an efficient and light-weight suite of protection and remediation services with the world-class tools deployed by CrowdStrike.”
Delta Risk and CrowdStrike help clients strengthen their cyber security posture to detect and prevent attacks
Delta Risk, a leading provider of SOC-as-a-Service and security services, announced that it has joined the CrowdStrike Elevate Partner Program. Delta Risk will offer CrowdStrike’s industry-leading next-generation endpoint protection platform, threat intelligence, and response services to help customers stop breaches.
Delta Risk will support customers using the CrowdStrike Falcon Platform to help businesses strengthen their cyber security posture to detect and prevent attacks.
CrowdStrike Falcon is a transformative solution powered by Artificial Intelligence (AI) that unifies next-generation antivirus (NGAV), IT hygiene, endpoint detection and response (EDR), cyber threat intelligence and proactive threat hunting.
“Our cloud-native ActiveEye platform, which powers our managed security services, combined with CrowdStrike’s robust endpoint security, enables customers to quickly see what’s happening on endpoint devices across their network,” said Joseph Acosta, Director of Security Operation Center, Delta Risk.
“This reduces the risk of false positives so security staff can focus on the most critical alerts and respond to threats faster.”
“We chose to have Delta Risk manage our endpoint security because of our past experience using their security operations center (SOC) as-a-Service solutions,” said Curtis Glenn, Director of Information Security, Sonic Automotive.
“Delta Risk’s expertise allows us to maximize our investment in CrowdStrike and maintain global, 24×7 coverage for our entire IT infrastructure.”
“Attacks are unavoidable, so organizations must respond quickly to cyber threats to match the speed of sophisticated criminal and nation-state adversaries,” said Matthew Polly, vice president of Channel and Alliances, CrowdStrike.
“By joining the CrowdStrike Elevate Partner Program, Delta Risk can offer customers comprehensive endpoint visibility, faster time to deployment, and better overall protection.”
In a recent report, CrowdStrike recommended that organizations follow the 1:10:60 rule: one minute to detect threats, 10 minutes to investigate, and 60 minutes to contain and remediate an incident.
Most organizations aren’t sufficiently prepared to address breakout time, defined as the window between when an intruder compromises the first machine and when they can move laterally to other systems on the network, according to CrowdStrike’s 2019 Global Security Attitude Survey.
On average, the process of detecting, triaging, investigating, and containing a cyber incident takes organizations globally 162 hours, with an average of 31 hours to contain a cybersecurity incident once it has been detected and investigated.
The survey results indicated that only 11 percent of respondents could detect an intruder in under one minute, only nine percent could investigate an incident in 10 minutes, only 33 percent could contain an incident in 60 minutes, and only five percent could do all three.
The CrowdStrike Elevate Partner Program provides technology partners, solution providers, system integrators and managed service providers (MSSPs) with the capability to deliver bespoke solutions to customers.
Along with the CrowdStrike Orchestration and Automation initiative and the introduction of new and updated APIs via CrowdStrike Falcon Connect, partners can seamlessly integrate their solutions with the CrowdStrike Falcon Platform, allowing them to operate their security efforts in a more efficient and effective manner responding to security threats faster and with greater accuracy.
Over the course of 2019, 36% of the incidents that CrowdStrike investigated were most often caused by ransomware, destructive malware or denial of service attacks, revealing that business disruption was often the main attack objective of cybercriminals.
Another notable finding in the new CrowdStrike Services Report shows a large increase in dwell time to an average of 95 days in 2019 — up from 85 days in 2018 — meaning that adversaries were able to hide their activities from defenders for longer, and that organizations still lack the technology necessary to harden network defenses, prevent exploitation and mitigate cyber risk.
Business disruption as primary attack objective
- Third-party compromises serve as a force multiplier for attacks. Threat actors are increasingly targeting third-party service providers to compromise their customers and scale attacks.
- Attackers are targeting cloud infrastructure as a service (IaaS). Threat activity around API keys for public cloud-based infrastructure has become more targeted as attackers increase their ability to rapidly and systematically harvest information assets.
- Macs are now clearly in the crosshairs of the cyber fight. Threat actors are increasingly targeting macOS environments, “living off the land” with native applications and capitalizing on less widely used security tools compared to Windows systems in the same organization, which have more security tools in place.
- Patching remains a problem. Basic hygiene still matters, and even though organizations have gotten better at patching, the factors that make patching a challenge have become more complex.
- How prevention is configured impacts its effectiveness. The report finds that many organizations fail to leverage the capabilities of the tools they already have. The failure to enable critical settings not only leaves organizations vulnerable but also gives them a false sense of security.
The report found that organizations that meet the 1-10-60 benchmark — detect an incident in one minute, investigate in 10 minutes and remediate within an hour — are improving their chances of stopping cyber adversaries. However, the found that the vast majority of organizations struggle to meet the 1-10-60 standard.
Beyond the 1-10-60 benchmark, the report offers guidance on remaining protected against today’s ever-evolving threat landscape, including integrating next-generation endpoint security tools and proactive strategies to strengthen cyber posture. Innovative tools and tactics such as machine learning, behavioral analytics and managed threat hunting teams help uncover cyber criminal behavior and motivations, while also preventing incidents from turning into breaches.
“Strong cybersecurity posture ultimately lies within technology that ensures early detection, swift response and fast mitigation to keep adversaries off networks for good,” said Shawn Henry, CSO and president of CrowdStrike Services.
TrueFort, the application detection and response company, announced the continued expansion of the TrueFort Fortified Ecosystem. The company is building upon its previously announced partnership with CrowdStrike, and now adds Infoblox to the program.
To protect applications and enable organizations to achieve full, 360-degree understanding of their behavior and context, the TrueFort Fortress XDR platform has been optimized to consume vast amounts of real-time telemetry into its advanced analytics engine to be able to accurately identify internal and external threats across all vectors.
“Without open integration and information sharing between the various security controls available today, malicious actors will continue to have great success attacking enterprises,” said Ed Amoroso, CEO of TAG CYBER and former head of cybersecurity for AT&T.
“Ask any Chief Information Security Officer (CISO) today what risk they are most concerned about and the majority will point to threats that target business applications.”
This announcement reinforces the company’s commitment to its ecosystem approach, and in also helping customers extract maximum value from the TrueFort platform, and from their existing deployed investments in third-party products and data via open APIs and especially, bi-directional information sharing.
“Through the Ecosystem Exchange model, Infoblox customers now have yet another way to extend the value of our Core Network Services data,” said David Barry, Senior Director of Business Development at Infoblox.
“The TrueFort Fortress XDR platform’s ability to consume our telemetry enhances its application profiling for better policy management, while providing increased insight into unmanaged systems to fast-track application-layer threat detection.”
TrueFort also announced its membership in the Center for Internet Security SecureSuite which provides organizations access to multiple cybersecurity resources including the CIS-CAT Pro configuration assessment tool, build content, full-format CIS Benchmarks, and more.
In addition, TrueFort Fortress XDR is expanding its footprint of protected application environments with a new listing on the VMware Solution Exchange as a data center and network security solution.
“To improve our customers’ security posture while reducing operational overhead, as vendors we need to ensure smooth integration and information sharing between toolsets, while following industry best practices like the CIS benchmarks,” said Sameer Malhotra, CEO and Founder, TrueFort.
“Through initiatives like the TrueFort Fortified Ecosystem, we look forward to promoting industry collaboration in 2020 and beyond.”
The process of detecting, triaging, investigating, and containing a cyber incident takes organizations globally on average nearly seven days of working around the clock (totaling 162 hours), with an average of 31 hours to contain a cybersecurity incident once it has been detected and investigated, a CrowdStrike survey reveals. How fast can you detect intruders? As a result, the majority of respondents (80%) report that in the past 12 months, they have been unable to … More
The post Only 11% of organizations can detect intruders in under one minute appeared first on Help Net Security.