As we race ahead in the year, cybersecurity threats continue to evolve and become more complex, making it crucial for organizations to stay up-to-date with the latest trends to protect their sensitive data and networks. In this context, identity-based attacks are expected to remain a significant threat, with adversaries increasingly using valid credentials to gain access to networks. Additionally, the trend of eCriminals using data theft and extortion tactics instead of just relying on ransomware is expected to continue growing, leading to an increase in double or triple extortion tactics.
Sharing more insights, Amol Kulkarni, Chief Product and Engineering Officer, CrowdStrike spoke to Minu Sirsalewala, Executive Editor – Special Projects, Dataquest about the critical role of identity protection, the importance of observability in security, and how technology leaders can achieve effective security. Furthermore, Kulkarni touched upon why businesses of all sizes in India should have access to enterprise-level cybersecurity to protect against the ever-evolving threat landscape. Through this interaction, we explore these trends in detail and discuss how cybersecurity teams can prepare themselves to face these threats in 2023.
Amol is a veteran technology leader with over 25 years of experience in the industry. As a Chief Product Officer (CPO), Kulkarni’s responsibilities include product innovation and vision, which are crucial for many high-tech companies.
During his tenure at CrowdStrike, Kulkarni has led the development and delivery of several innovations, including Falcon Prevent™ next-gen AV, CROWDSTRIKE FALCON® INTELLIGENCE™, Falcon Fusion™, and the CrowdStrike Store.
Excerpts from the interaction.
What are some trends that the cyber security teams should watch out for this year?
Identity-based attacks are the No. 1 cybersecurity threat facing organizations of all sizes today. Over 80% of cyber incidents involve the misuse of valid credentials to gain access to an organization’s network. These adversaries will break out quickly by compromising identities to move laterally between endpoints and deploy ransomware, achieve business email compromise (BEC) by accessing email infrastructure, or exfiltrate critical data from public cloud infrastructure.
Growth in the trend of eCriminals increasingly using data theft and extortion as a tactic, rather than relying solely on ransomware. This shift is expected to lead to an increase in double or triple extortion tactics, where organizations are repeatedly victimized. The report also highlights the targeting of high-value data in the technology, manufacturing, and financial sectors. According to CrowdStrike’s 2023 Global Threat Report SLIPPY SPIDER, attracted significant attention in early 2022 for targeting technology companies like Microsoft, Nvidia, Okta and Samsung through data theft and extortion.
As adversaries increasingly target cloud environments, the cloud continues to evolve as the new battleground. Cloud exploitation has skyrocketed with 95% increase in observed cloud exploitation cases, and 300% increase in observed ‘cloud-conscious’ threat actors over 2021. It is imperative for security teams to have a thorough understanding and clear visibility into their full attack surface. This surface includes all APIs in your environment, including undocumented (shadow) APIs as well as unused/deprecated APIs that have not been disabled. As a result, APIs have proven an extremely valuable target for cyber criminals. On the heels of several recent high-profile API-related incidents – the trend is expected to accelerate into 2023.
Should businesses of all sizes in India have access to enterprise-level cybersecurity?
Small businesses are highly vulnerable to cyberattacks and lack the resources to protect themselves. A CrowdStrike survey found that 63% of SMBs face advanced cyber threats, including ransomware and identity-based attacks. Cyberattacks can cause significant financial pressure and 60% of SMB victims close within 6 months of an attack. SMBs need to be aware of the threats they face and focus on threat prevention rather than just detection. Upgrading defenses and rethinking security strategy is essential to stay safe from advanced adversaries.
The evolution in adversary techniques shows no sign of slowing in 2023, but with limited budgets and staff, it is imperative SMBs make the most of their resources and time to stay toe-to-toe with even the most advanced adversaries. Rethinking security strategy and upgrading defenses now can make a tremendous difference in getting through a cyberattack if – or when – disaster strikes. SMBs should think beyond threat detection to focus on threat prevention as well.
The following best practices can have a tremendous impact on the strength of SMBs defenses:
- Educating employees on the types of security threats and social engineering attacks they face at work
- Enforcing multi-factor authentication (MFA) and performing regular backups of critical data
- Regular patching, locking down your cloud environments, implementing and testing your threat detection and response
Can you elaborate on the need for security teams to consider workloads (endpoint and cloud), identities (user and machine) and data as the epicenter of enterprise security risk?
People, processes, and technology have been the core pillars dictating how cybersecurity programs are managed. Organizations need well-trained talent on their staff, trusted processes in place to prevent breaches and respond should they occur, and the latest security technologies to detect and block malicious activity.
Workloads: endpoint and cloud: Adversaries view the cloud as an opportunity to pursue intellectual property theft, data extortion, and ransomware campaigns, among other goals. Common cloud attack vectors include vulnerability exploitation, credential theft, cloud service provider abuse, use of cloud services for malware hosting and command-and-control (C2), and exploitation of misconfigured image containers. As organizations grow and add more endpoints, cloud workloads, and containers, as well as new tools to protect them all, security can quickly become complicated. Security teams should enable runtime protection, obtain real-time visibility and eliminate configuration errors as part of their best practices for securing their assets
Identities: user and machine: Today’s adversaries use billions of stolen usernames and passwords to slip past legacy defenses and act as legitimate users. Credential-based intrusions against cloud environments are among the more common vectors used in both cybercrime and targeted attacks. As part of their defense strategy, organizations should ensure full deployment of multi-factor authentication (MFA), especially for privileged accounts; disable legacy authentication protocols that don’t support MFA; and track and control privileges and credentials for both users and cloud service administrators.
The importance of data protection: As organizations think about the future of data protection, they should enable cloud workload protection and must have an enterprise-wide understanding of their data assets. Unified visibility of assets, configurations and activity can help detect misconfigurations, vulnerabilities and data security threats, while also providing insights and guided remediation.
Sophisticated adversaries are exploiting stolen credentials and identities to amplify ransomware big game hunting attacks and infiltrate cloud environments, your thoughts?
The threat of identity-based attacks is growing as organizations expand their use of cloud infrastructure and cloud-based applications and services. It highlights the need for organizations to take strong measures to protect their sensitive data and IT systems. CrowdStrike Intelligence predicts that big game hunting will remain the primary eCrime threat in 2023 and will shift to Ransomware as a Service (RaaS) networks.
Enforcing a strong password policy is an effective strategy for protecting valuable systems and resources. Multi-Factor Authentication (MFA) and the principle of least privilege (POLP) are also important practices for strengthening enterprise security posture. POLP limits access rights based on resources needed to do a job, ensuring only authorized users have permission to access certain systems, applications, data, and other assets. Organizations can implement POLP by monitoring all endpoints, defaulting user access to minimal privileges, separating accounts into higher and lower-level privileges, and regularly auditing access to resources. Regular audits monitor how privileges are delegated and whether they escalate, preventing “privilege creep” and reducing the risk of attacks.
The zero-trust strategy emphasizes the need for stronger enterprise identity and access controls. Why is experience critical to identity protection/use cases?
The modern threat landscape continues to evolve with an increase in attacks leveraging compromised credentials. CrowdStrike’s 2023 threat report shows adversaries are doubling down on stolen credentials, with a 112% year-over-year increase in advertisements for access-broker services identified in the criminal underground. An attacker with compromised credentials too frequently has free rein to move about an organization and carefully plan their attack before they strike.
Identity threat protection technology can segment identities and autonomously enforce risk-based conditional access, reducing risk significantly. Identity protection cannot occur in a vacuum – it is just one aspect of an effective security strategy and works best alongside a zero trust framework. Zero trust requires all users, whether in or outside the organization’s network, to be authenticated, authorized and continuously validated before being granted or maintaining access to applications and data.
CrowdStrike identity protection services deploys Falcon identity protection modules to ensure real-time prevention of identity-based attacks. It also provides an in-depth security assessment of endpoints, identities and Active Directory environments, highlighting major risk areas, identity best practices, and misconfigurations. Employing simple policies and risk-based access controls can greatly enhance the user experience. A unified security platform approach can help protect a company’s network and resources with continuous risk-based verification of user access, extending protection across on-premises, cloud and legacy applications.
We are regularly witnessing how state-sponsored adversaries weaponize vulnerabilities to evade detection and gain access to critical applications and infrastructure. How can we avoid these attacks?
State-sponsored adversaries use modern techniques to gain unauthorized access to critical systems and data, including cyber espionage, state-nexus destruction, and generating currency to support a regime.
CrowdStrike’s 2022 Falcon OverWatch Threat Hunting Report reveals a record 50% year-over-year (YoY) increase of hands-on intrusion attempts, and distinct changes in attack trends and adversary tradecraft. Most notably, Falcon OverWatch threat hunters identified more than 77,000 potential intrusions, or approximately one potential intrusion every seven minutes. The technology sector was the most frequently targeted vertical in which Falcon OverWatch uncovered interactive intrusion activity in 2022. While it is not possible to completely avoid these attacks, there are several steps that can be taken to reduce risk.
- Patch vulnerabilities: Keep all your software up to date with the latest security patches. Attackers often exploit known vulnerabilities to gain access to systems
- Monitor for suspicious activity: Implement monitoring and detection systems to identify suspicious activity and respond quickly to potential attacks
- Limit access: Limit access to critical applications and infrastructure to only those who need it. Implement access controls to prevent unauthorized access
- Train employees: Train employees on cybersecurity best practices and how to identify and report suspicious activity
- Conduct regular security assessments: Conduct regular security assessments to identify and address vulnerabilities in your systems
- Implement a disaster recovery plan: Have a disaster recovery plan in place to quickly recover from attacks and minimize damage
By implementing these steps, one can reduce the risk of being targeted by state-sponsored adversaries and other cybercriminals. However, it is important to note that cybersecurity is an ongoing process, and organizations should regularly review and update security measures to stay ahead of evolving threats.
What is the role of observability in security?
CrowdStrike is driving the convergence of security and observability, bridging the biggest gap between IT and security teams to deliver real-time visibility of the health and performance of their infrastructure and applications. When we acquired Humio in early 2021, we saw the worlds of security and observability converging. Observability focuses on tracking and assessing many types of IT data, enabling customers to “do things that are not just security-related”. We will continue to find solutions that are outside of core endpoint protection and workload protection, but yet related to the IT world.
Built using a unique index-free architecture and advanced compression technology that minimizes hardware requirements, Falcon LogScale (earlier Humio) allows IT teams to aggregate, correlate and search live log data with sub-second latency. This powerful and versatile technology helps eliminate IT system blind spots and identify potential threats faster – all at a lower total cost of ownership than legacy log management platforms. With Falcon LogScale, security teams will be able to operationalize the massive amounts of log and event data that is generated. They will be able to apply powerful analytics to address security use cases, while DevOps and IT teams gain real-time visibility of the health and performance of their infrastructure and applications. Its advanced compression technology and bucket storage saves customers up to 70% on compute and storage costs, compared to legacy platforms. As a result, Falcon LogScale offers a lower total cost of ownership than legacy platforms, while delivering the power and speed needed in today’s complex IT infrastructures.
If you had to sum up how organizations can protect themselves, your advice?
Cyberattacks are becoming more frequent and sophisticated, posing significant threats to the security of organizations. To protect themselves against cyberattacks, organizations should implement a comprehensive cybersecurity strategy that includes the following measures:
- Gain visibility into your security gaps: An organization is only secure if every asset is protected. As adversaries continue to weaponize and target vulnerabilities, security teams should prioritize visibility and enforcing of IT hygiene across the entire enterprise asset inventory
- Prioritize cloud protection: Adversaries are aggressively targeting cloud infrastructure. Stopping cloud breaches requires agentless capabilities to protect against misconfiguration, control plane and identity based attacks, combined with runtime security that protects cloud workloads
- Strong passwords and multi-factor authentication (MFA): Weak passwords are easy to crack, so employees should be encouraged to create strong passwords and use multi-factor authentication whenever possible
- Prioritize identity protection: Integrated identity protection with tight correlation across endpoints, identity and data is essential. Organizations should find solutions that not only help them extend MFA into legacy and unmanaged systems – both of which are prone to attacks, but also provide immediate detection and real-time prevention of lateral movement, suspicious behavior, misuse of service accounts and more
- Incident response plan: Organizations should have a plan in place to respond quickly and effectively to a cyberattack. This plan should include procedures for reporting the attack, containing the damage, and recovering from the attack
- Invest in employee training: Many cyberattacks occur as a result of employee errors or negligence. Regular training on cybersecurity best practices can help employees understand the risks and how to avoid them
- Regular data backups: Regular software updates and data backups can help organizations recover from a cyberattack quickly and minimize the damage
- Regular risk assessments: Regular risk assessments can help organizations identify and prioritize the most significant risks to their cybersecurity and allocate resources accordingly
By implementing these measures and regularly reviewing and updating their cybersecurity strategy, organizations can significantly reduce their risk of cyberattacks and protect their assets, reputation, and customers from harm.
