Securing the future of the digital ecosystem

In this in-depth conversation, Fabio Fratucello, Field CTO Worldwide, Crowdstrike, shares his perspective on the global threat landscape, the rise of industrialised cybercrime, and why a platform-based, Zero Trust strategy is essential in the age of sophisticated adversaries.

What is your role at CrowdStrike, and what responsibilities does it involve? What innovations are you currently focused on?

I am the Field CTO for CrowdStrike globally. I’ve been with the company for a little over four years. I initially served as the regional CTO for Asia Pacific and Japan. Two years ago, I took on a broader role overseeing the international regions, which include Europe, APJ, the Middle East, Turkey, and Africa. Around eight or nine months ago, I was asked to consolidate the function and take on responsibility for the Americas as well, including Canada, Central and South America.

There were a few reasons for this. One key factor is the increasingly global nature of the threat landscape. Adversaries no longer operate within regional boundaries, and there was a need for us to streamline our function while also being able to deliver globally consistent insights to our customers. My role and that of my team is to spend most of our time in the field, interacting with sales, marketing, PR, and most importantly, with customers and partners. We engage with them on both business and technology challenges, understand what they are trying to achieve, and work on delivering solutions aligned with their risk appetite to ensure safety and resilience.

Given the rapid increase in cyberattacks and the growing complexity of hybrid and multi-cloud environments, how should enterprises rethink their cybersecurity strategies?

The escalation of the threat landscape is evident, with adversaries becoming more sophisticated each year. What stood out to us last year was the way threat actors are now operating like businesses. That’s why, when we released our Global Threat Report, we called it “The Year of the Enterprising Adversary.” These actors have key performance indicators, return-on-investment goals, and they leverage automation, generative AI, and agentic AI to scale and simplify their operations. Unfortunately, their business model revolves around breaching customers.

We are now in an environment with more threat actors than ever before. We discovered several new groups last year and currently track over 240 named threat actor groups globally. Countries like Egypt and Kazakhstan have begun weaponising their cyber capabilities. The speed of attacks has also increased. We monitor what we call “breakout time,” which is the time it takes an adversary to move laterally from the initial point of compromise to another host in the same environment. That time has now dropped to 51 seconds in the fastest cases, with the average being 48 minutes.

These attackers do not limit themselves to a single domain. They typically target endpoint, identity, and cloud infrastructure simultaneously. Their strategy is to overwhelm defenders with as much noise and activity as possible, increasing their chances of success.

The report focused significantly on China. What is the threat scenario like in India, particularly in light of incidents such as the alleged Aadhaar breach? How do you see the cybercrime ecosystem evolving here?

Globally, we are seeing less regional specificity in cyberattacks and more universal patterns. While nation-state actors may target specific countries based on geopolitical interests, many others are financially motivated and operate across the entire digital ecosystem.

India is not immune to these developments. Apart from China, another nation-state actor of concern for Indian businesses is North Korea. They have been particularly active with threat groups like the Cholimas. Their playbook typically starts with social engineering tactics via email, SMS, or even phone calls, impersonating IT help desks, pressuring users to reveal credentials. Once inside, they methodically gather more information to create persistence. If one set of credentials is revoked, they rely on others they have harvested to maintain access.

They then move laterally into core infrastructure and cloud environments, conducting cross-domain attacks. This leads to more sophisticated operations, including data exfiltration and ransomware.

Phishing and voice-based attacks are prominent in the report. Why are these tactics still so effective, especially in cultures accustomed to phone-based customer service?

The prominence of these attacks stems from the accessibility of modern technology. Generative AI has lowered the skill barrier for attackers. One does not need deep technical expertise to craft phishing messages; AI tools can write grammatically correct and emotionally manipulative messages with ease.

These messages are also highly personalised and urgent, increasing their effectiveness. In cybersecurity, we often track click-through rates, which measure how often users interact with phishing attempts. AI-enhanced messages have significantly higher engagement rates.

Previously, language barriers helped in identifying phishing emails because the grammar was often incorrect. Now, attackers can generate fluent messages in any language. This has contributed to the proliferation and success of these attacks across diverse regions and industries.

How large is the cybercrime-as-a-service market? How are threat actors industrialising these operations?

This trend has been growing steadily. Threat actors on the dark web are becoming increasingly specialised. Much like in legitimate business ecosystems, specialisation leads to greater efficiency.

There are groups, for example, known as access brokers, who focus solely on harvesting credentials. They do not always execute full-scale attacks themselves. Instead, they sell these credentials to other groups who then carry out ransomware, data theft, or other malicious activities.

There are groups, for example, known as access brokers, who focus solely on harvesting credentials. They sell these credentials to other groups, who then carry out malicious activities.

This is especially problematic because possessing valid credentials eliminates the need for attackers to “break in”; they simply log in. From a defensive standpoint, such access is difficult to detect because the activity may appear legitimate.

In light of these developments, how critical is real-time detection and a Zero Trust model for securing enterprise systems?

They are absolutely critical. In any cybersecurity architecture, detection and response capabilities remain core, but predictive and preventive strategies must also be emphasised.

Zero Trust operates on the principle that no identity or device should be inherently trusted. Every access attempt should be validated based on context, device health, user behaviour, location, and more.

For instance, if an identity logs in from India and then immediately from Australia, this is flagged as improbable travel and requires additional scrutiny. Behavioural analytics and out-of-band authentication mechanisms (such as OTPs or authenticator apps) should be used to verify such transactions. This dynamic risk scoring enables security teams to make informed decisions about access in real time.

How is CrowdStrike using AI to monitor user behaviour and detect malicious activity in identity systems?

Our identity threat protection suite includes capabilities for detection, protection, and just-in-time authentication. We apply machine learning, data science, and behavioural heuristics to model how identities are used.

Regardless of whether an identity resides on-prem or in the cloud, we start by gaining visibility into its configuration. We examine whether identities are human or programmatic, what permissions they hold, and whether credentials are rotating regularly or left static.

We also analyse whether attackers are actively targeting identity systems with techniques such as Kerberoasting or SAML exploitation. This visibility helps us assign dynamic risk scores to each identity based on its behaviour and the health of the endpoint it’s used on. These scores then inform Zero Trust authentication policies.

What integration gaps do you commonly observe in enterprise security stacks? What should leaders prioritise as they reassess their cybersecurity posture?

There is a growing shift from best-of-breed to best-of-suite strategies. Organisations are beginning to appreciate the value of unified platforms. When attackers target multiple domains, endpoints, identity, and cloud simultaneously, it becomes challenging to respond effectively using siloed tools.

Siloed tools create fragmented telemetry and can obscure the fact that multiple alerts may stem from a single coordinated attack. A platform-based approach consolidates this data, correlates it in real time, and clusters related activities under a unified investigation. This improves prioritisation and accelerates incident response.

Security leaders should rethink their architecture and embrace platforms that integrate detection, response, identity protection, and threat intelligence into a single framework.

The report highlights how breakout times are shrinking. Is it possible to predict attacks before they happen? What role does early warning play in modern cybersecurity?

It is possible, and this area deserves significant attention. While detection and response will remain necessary, prediction and prevention must evolve in parallel.

Threat intelligence plays a foundational role. Understanding adversary behaviour, motivations, and techniques helps organisations anticipate what might happen. Matching external insights, such as attack surface exposure, with internal knowledge of assets, vulnerabilities, and configurations allows for proactive defence.

At CrowdStrike, we use this combined view to generate “paths of attack”—predictive models that show how an adversary is likely to infiltrate a network. By analysing these paths, organisations can identify control points where they can intervene, strengthen defences, and reduce risk.

The report notes that technology and consulting firms are among the most targeted, even more than BFSI. Why is that the case?

Technology and consulting service providers are often targeted because they serve as gateways to multiple other clients. Compromising a service provider can give attackers access to a broader set of victim environments.

The financial sector, especially in countries like India, is subject to rigorous regulatory frameworks. This scrutiny has led to stronger baseline defences, although it should not be seen as a comprehensive solution. Regulations should be viewed as a starting point, not an endpoint. Organisations must go beyond compliance and focus on achieving real operational security.

punams@cybermedia.co.in