Argus - Fotolia

Threat intelligence key to fighting cyber crime, says CrowdStrike

CrowdStrike develops new cyber crime intelligence services by studying the ecosystem and tools that enable criminals to set up and run their cyber attack operations

Threat intelligence about cyber criminals, how they operate and what tools they are using is key to fighting cyber crime, according to security firm CrowdStrike.

“If you understand who they are, what they are after, how they think and what things could affect them, you have a better appreciation of what you can do to defend against them,” said Adam Meyers, vice-president of intelligence at CrowdStrike.

Automation is also key, he told Computer Weekly, because operationalising intelligence is one of the biggest challenges facing security teams.  

“Automation enables organisations to reconfigure their defences quickly in response to intelligence extrapolated from the analysis of various threats,” he said.

Transmitting that intelligence to security systems as soon as it comes in can be crucial, said Meyers, to ensure the opportunity for attackers is kept to a bare minimum.

“Organisations often do not have time to mull over threat intelligence deciding what to do, and automation enables them to be more proactive,” he said.

Automation also enables defenders to focus on what is going on rather than worrying about what they need to do next.

“The organisation that can get through the Ooda loop of observe, orient, decide and act quickly is always going to have an advantage because it can act faster, and automation is always going to speed up that process,” said Meyers.

Anti-cyber crime products

In line with this philosophy, CrowdStrike has developed automated anti-cyber crime services aimed at helping organisations to improve defences – particularly against financial cyber attacks. This is in response to a 600% increase in the detection of ransomware through the Falcon Host Platform in the first half of 2016.

This increase demonstrates the popularity of ransomware as the attack of choice for criminal actors, with these threats affecting enterprises of all sizes.

CrowdStrike said dozens of variants of ransomware emerged during that same time period, with each seeking to implement novel features to evade traditional security tools.

Defending against ransomware and other financial threats, such as the Dridex banking Trojan, requires intelligence and security systems that can operationalise that intelligence, said CrowdStrike.

“In addition to the massive uptick in ransomware, we have seen an increase in business email compromise [also known as whaling and CEO fraud],” said Meyers.

“This is where threat actors are understanding what the financial organisation inside businesses of all sizes looks like to create realistic-looking phishing emails to convince people to transfer millions of dollars into their accounts.”

As a result, the security firm has announced that it is expanding its eCrime offerings to support broader, premium subscription options for Falcon Intelligence and threat intelligence customers.

Tiered subscriptions for threat protection

According to Meyers, developing the products was not simply a case of taking CrowdStrike’s threat intelligence service that focused on nation states and converting it into a service for cyber crime.

“In reality, we had to develop a model because threat actors in the cyber criminal world do not behave in the same way as a nation state type of group. We had to invest a lot of time in understanding the cyber criminal space, which is broadly an ecosystem where threat actors are trading code, services and stolen data,” he said.

The tiered subscription offerings will be available in the third quarter of 2016. This will allow customers to choose the option that best meets their needs, gain new capabilities and insights into the entire eCrime adversary ecosystem, and orchestrate detection and response options in a more effective manner, CrowdStrike said.

This means CrowdStrike customers can access automated and integrated eCrime threat intelligence through standard or tiered premium Falcon Intelligence service.

The standard service is aimed at providing tactical threat intelligence for both nation-state actors and cyber criminals.

The Premium Targeted Intrusion option provides tactical, strategic and operational threat intelligence on targeted Intrusion adversaries and their campaigns, the eCrime option does the same on cyber criminals and their campaigns, while the third tier is a combination of the two.

“CrowdStrike continues to launch customised offerings that equip customers with the intelligence they need to not only effectively prevent, detect and respond to threats on a daily basis, but also establish more informed long-term security strategies,” said George Kurtz, CrowdStrike’s co-founder and chief executive officer.

“The eCrime packages support the needs of a growing segment of customers, encountering new threats in the face of rising eCrime threat actors.

“Providing new subscription tiers and integrated intelligence in the Falcon API is another step we are taking towards making endpoint protection more simple, accessible and effective for customers.”

Read more about threat intelligence

  • Threat intelligence tools are a growing market and enterprises need to be able to see through the hype to get the best product for them.
  • Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
  • Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.

Meyers said: “We’ve seen compelling evidence of eCrime actors gaining a strong foothold across many industries and affecting organisations of all sizes and in virtually every vertical.

“Building on previous security research and tracking, we now have expanded our eCrime resources to track its complex global ecosystem, allowing us to be the top source of intelligence on those actors, their tactics, techniques and procedures,” he said.

An example of how this would work, said Meyers, is that CrowdStrike is able to reverse-engineer things such as cyber criminal domain generating algorithms (DGAs), which will enable subscribers to anticipate the domains attackers will use to communicate with their malware and block or sinkhole those domains proactively.

Read more on Hackers and cybercrime prevention