For about six months, a cyber attacker stayed undercover in the network of an organisation in the Asia-Pacific region, choosing to launch a ransomware attack on its victim last October.
During the unusually long reconnaissance period of the attack, the organisation had opportunities to identify multiple signs of the threat before the execution of the ransomware.
Unfortunately, it did not have the people, processes or technology in place to prevent the execution of the ransomware, uncovering the attack only after its systems went offline.
That incident, recounted Mark Goudie, services director at CrowdStrike in Asia-Pacific and Japan, was just one example of how organisations in the region remain ill-equipped to deal with ransomware attacks.
Noting that threat visibility is a “key issue” in the region, Goudie said organisations are still reliant on a cyber security arsenal that is still based on “knowing what everything bad looks like” to suss out cyber threats. Instead, he called for organisations to look for signs of threat actors lurking in their networks.
“We need a behavioural based model, which is what CrowdStrike and others are doing, to use for visibility,” said Goudie. That could involve combing security logs to identify signs of credential dumping and other nefarious behaviour – and acting on them.
“It’s not just technology; it’s also people and processes where you’ve got to have trained people and an appropriate process to get an outcome. Those are the key things that a lot of organisations are missing.”
Read more about cyber security in APAC
- The narrowing gender gap may be a cause for cheer, but more needs to be done to curb discrimination, and attract and retain women for cyber security roles in Asia-Pacific.
- Five-year longitudinal study by Imperva shows the proportion of databases with at least one known vulnerability in Australia and Singapore are among the world’s highest.
- OT security experts shed light on the state of OT security in the region, and what’s being done to address skills, competency and organisational challenges.
- Singapore updates its national cyber security strategy to shore up the security of critical infrastructure and enterprises while growing its cyber security industry, among other goals.
That said, Goudie noted that there is still a place for indicators of compromise (IOCs), whether it is an IP address, a hash or a registry key. “They’re all good, but because threat actors can change so quickly and easily, they should not be the only arrow in your quiver,” he said.
“You need more than that – you need the behavioural detection engine, machine learning, threat hunting and smart people doing smart things because these days, your adversary, more often than not, is a person and not a machine.”
On supply chain attacks that have intensified in recent years, Goudie urged organisations to scrutinise their suppliers, irrespective of who they are, on their response to cyber threats and how they remediate vulnerabilities.
“That way, you can, as a business, say this is a company that you want to be involved with, and will be trusting their software,” he said.
While sophisticated attacks, such as the SolarWinds incident, that challenge conventional security paradigms are hard to fend off, organisations can stand a chance by staying ahead of their adversaries.
Goudie said that under CrowdStrike’s 1/10/60 rule, security teams confronting an attack have an average of one minute to detect it, 10 minutes to understand it and 60 minutes to contain it.
“Irrespective of what those numbers are, it is a race and races are measured over time,” he said. “So, you’ve got to progress faster than the actor, and hamper them from getting to their objective. If you can slow them down, contain them and then remove them, you are going to win the battle in the long run.”
According to a CrowdStrike survey, organisations in Asia-Pacific continue to face large challenges in detecting and remediating cyber security incidents.
On average, respondents in the region estimated it would take 205 hours to detect a cyber security incident. Once detected, it took them 14 hours to triage, investigate and understand the incident, with an average remediation time of 19 hours.