The Security Interviews: Zeki Turedi, field CTO Europe, CrowdStrike

Threat intelligence

Just as the ancient Chinese military general and philosopher Lau Tzu recommended you “know your enemy”, a key element of cyber security is threat intelligence – information concerning current cyber attacks that can be analysed to mitigate cyber security risks.

Digital forensics have become an important part of threat intelligence, as recognising known code and techniques enables security experts to identify suspected perpetrators behind a cyber attack. “Threat intelligence is taking all that knowledge and experience of protecting customers,” explains Turedi. “It’s data based on information from what we’ve been seeing, by having a global presence protecting customers across the globe and responding to incidents.”

In recent years, it has become apparent that anyone can become a target for a cyber attack. Previously, larger businesses would be targeted because of their turnover, but with the widespread availability of hacking tools and malicious services, such as ransomware-as-a-service (RaaS), and the relatively low cost of these, any organisation or individual can now be targeted and held to ransom.

Just as legitimate organisations use their profits to invest in themselves and improve their security posture, so too do OCGs, purchasing new technologies and learning cutting-edge techniques.

OCGs are now using machine learning to partially automate their attacks. Brute force attacks already do this to a lesser extent, by bombarding login portals with common passwords, but now OCGs are using automation to scan networks for known vulnerabilities that can be exploited.

OCGs are like modern-day hydras – when one head is removed, more appear to take its place. OCGs are frequently distributed entities that may coordinate their actions with other OCGs and share the access permissions they have gained.

The international nature of cyber crime is a further challenge that makes it difficult to track down OCGs. Although there has been some success in arresting high-profile criminals, it is unlikely they will ever all be caught.

“A lot of these criminal groups aren’t single groups, they are multiple groups working together,” explains Turedi. “You have one group that develops ransomware-as-a-service, you then have another group that creates another toolset, and a different group altogether that actually puts all the pieces together and targets a certain organisation. We even see separation between groups that will initially target a company and gain access, then sell that access off to another criminal group, who will then do the ransomware and exfiltration.”

Following Covid, there has been an increase in cyber crime. With more people connecting to corporate networks due to remote working, OCGs seized the opportunity to exploit this trend.

“There were quite a lot of opportunities when companies were struggling to sort themselves out after lockdown,” recalls Turedi. “We saw a lot of new criminal groups appear during that time and use that opportunity. We saw them take that reward and reinvest in themselves.”

There has also been a shift in attack methodologies. Just as organisations are now using multi-factor authentication (MFA) to counter the weaknesses in passwords, OCGs are attempting to bypass MFAs. Malicious actors are posing as legitimate employees and contacting helpdesks to divert secondary access permissions and thereby gain access to sensitive networks.

Rapid response

It has been estimated by Turedi and CrowdStrike that on average it can take a malicious actor 79 minutes to move through a system. This has become a critical time for incident response because once the malicious actor is able to jump to another part of the network, the entire network has been compromised.

“The second an adversary is moving laterally through an organisation, they start rapidly crossing the network and it becomes a ‘whack-a-mole’ situation,” says Turedi. “It’s easy to defend an organisation from the world’s best threat actor when they’re on a single device – you can simply shut it down and walk away. You could have the best nation-state [hackers] in the world and be a single responder, but if you can get there quick enough, you can stop them. The second they start moving laterally, that means they’ve got credentials and they’ve got access to the network.”

“The second an adversary is moving laterally through an organisation, they start rapidly crossing the network and it becomes a ‘whack-a-mole’ situation”

Zeki Turedi, CrowdStrike

As such, having a swift incident response time is critical for organisations to prevent a security incident from occurring. Responding while the malicious actor is still contained within the first system means the system can be shut down, blocking the malicious actor from spreading further throughout the corporate network and ensuring it has not been compromised.

Unfortunately, having a dedicated security team with a comprehensive skillset and toolset can be expensive. Investing in security can also divert resources from an organisation’s core service, potentially losing some of its competitive advantages.

One way to circumvent this is by partnering with a security organisation, thus enabling organisations to maintain a robust security posture while still investing in their products or services. Through a security audit, a security partner can identify the core business needs and what is of most value, and how they can be best protected to ensure continued operations.

While the current economic climate may predicate minimising expenditure, partnering with a security company is something that needs to be conducted at the beginning, rather than towards the end of development. With a security partner involved from the outset, they can ensure system architecture is inherently protected and a secure-by-design methodology is followed.

If a security partner is only brought in towards the end of a project, there is only so much security that can be integrated without incurring costly revisions and further extending development time. There may also be core issues within the foundational architecture that mean it is inherently vulnerable to attack.

“Where we have problems is when security is an afterthought. That’s where we end up ‘Sellotape and gluing’. They have gaps that the adversary makes use of,” says Turedi. “When we take security to the beginning, and have that ‘security-first’ mindset, those gaps don’t appear.”

Despite the rising number of OCGs and the prevalent threat of ransomware and phishing scams, Turedi remains confident. Just as OCGs have invested in their cyber attacks, so too have security organisations evolved their protection systems.

Every cyber attack leaves vital information. Digital forensics can gain data for informing their threat analysis. The subsequent insight gleaned from the threat analysis will enable a more robust security posture against future cyber attacks. Being able to rapidly respond to a security incident ensures that it can be contained and not become a security breach.

“We’re up against time when it comes to the more sophisticated threat actors. That time window is really important,” says Turedi. “If we know how quick the adversary is, we now know how quick we need to be. It’s not just about how quick the technology will be, but how quick the internal processes are.”