In 2019, targeted intrusion adversaries will continue to conduct campaigns as part of their nation-state’s national strategies. China, Russia, Iran, and the DPRK are seeking geopolitical prominence, both in their respective regions and internationally, and they will use their cyber capabilities to attain and maintain situational awareness of their neighbors and rivals. Entities in the government, defense, think tank and NGO sectors will continue to be the targets of these operations. These intrusions will likely be supported by the targeting of upstream providers in the telecommunications and technology (particularly managed service providers) sectors, and may include supply chain compromises, as was observed in 2017.
For China, interest in regional neighbors will likely support the BRI and Digital Silk Road initiatives, the latter furthering the balkanization of the internet. Vietnam and Thailand have already drafted intrusive cybersecurity laws that closely resemble China’s. The spread of such surveillance standards will undoubtedly benefit Chinese adversary groups, many of which are well-versed in targeting telecom organizations. Russia and Iran are also likely to make efforts to control the direction of international policy regarding internet use. Both countries continue to pursue efforts to control content on domestic internet platforms. Actors and organizations in Iran and Russia are also likely to continue using information operations (IO) campaigns to support narratives favorable to these countries, regardless of the vigilance of social media companies.
It remains too early to tell if BOSS SPIDER will return to operations following the DoJ indictment. In the meantime, it is highly likely that other Big Game Hunting adversaries — INDRIK SPIDER and GRIM SPIDER — will continue to operate to their fullest capacity, undeterred by potential law enforcement activity. CrowdStrike Intelligence continues to observe fluctuations in the eCrime ecosystem; however, it is clear that reputation remains a driving factor among eCrime adversaries. GURU SPIDER’s ruined status is a notable example of how quickly a downfall can occur, while MUMMY SPIDER has leveraged its relationships to grow into a formidable force.
Although mineware may no longer be a rising trend, it is still likely to affect organizations across all sectors and may be observed in conjunction with other crimeware. BEC will remain elevated in 2019, as new actor groups utilizing these tactics emerge and existing groups develop new TTPs for compromising their victims.
2018 was another tumultuous year in cybersecurity. Looking forward, there is ample evidence that adversaries will be forced to adapt and deploy stealthier tactics in order to continue their profitable operations, prolonging the cybersecurity arms race. CrowdStrike recommends that all organizations consider the following measures to help maintain strong defenses in 2019:
Basic Hygiene Still Matters
The basics of user awareness, asset and vulnerability management, and secure configurations continue to serve as the foundation for a strong cybersecurity program. CrowdStrike recommends that organizations regularly review and improve their standard security controls, including the following:
- User awareness programs should be initiated to combat the continued threat of phishing and related social engineering techniques, such as 2018’s massive Emotet outbreak.
- Asset management and software inventory are crucial to ensuring that organizations understand their own footprint and exposure.
- Vulnerability and patch management can verify that known vulnerabilities and insecure configurations are identified, prioritized and remediated.
- Multifactor authentication (MFA) should be established for all users because today’s attackers have proven to be adept at accessing and using valid credentials, leading quickly to deeper compromise — also, MFA makes it much more difficult for adversaries to gain privileged access.
- In addition to MFA, a robust privilege access management process will limit the damage adversaries can do if they get in, and reduce the likelihood of lateral movement.
- Implement password protection to prevent disabling or uninstalling endpoint protection that provides critical prevention and visibility for defenders — also, disabling it is always a high-priority for attackers looking to deepen their foothold and hide their activities.
Look Beyond Malware: Strengthen Defenses Against Modern Attacks
As sophisticated attacks continue to evolve, enterprises face much more than just “a malware problem.” Defenders must look for early warning signs that an attack may be underway, such as code execution, persistence, stealth, command control and lateral movement within a network. Contextual and behavioral analysis, when delivered in real time via machine learning and artificial intelligence, effectively detects and prevents attacks that conventional “defense-in-depth” technologies cannot address.
Survival of the Fastest: Accept the 1-10-60 Challenge
With breakout time measured in hours, CrowdStrike recommends that organizations pursue the “1-10-60 rule” in order to effectively combat sophisticated cyberthreats:
- Detect intrusions in under one minute,
- Perform a full investigation in under 10 minutes
- Eradicate the adversary from the environment in under 60 minutes
Organizations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads out from its initial entry point, minimizing impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action.
Look for Partners to Help Fill the Talent Gap
It is tempting for organizations to turn primarily to technology to solve their cybersecurity challenges. Events from 2018 remind us that behind every attack, there is a human adversary who is adept at changing TTPs in response to technical controls. Defending against these threats ultimately requires effective, dedicated and capable security professionals. The most talented professionals are hard to find, and expensive to keep on staff. Successful enterprises often look outward for help, partnering with bestin-class external solution providers to help fill critical talent gaps in a cost-effective manner.