How tech companies can slow down spike in breaches: Michael Sentonas, CTO, CrowdStrike
By- Michael Sentonas
Tech companies have created the tools we use to build and run businesses, process consumer transactions, communicate with one another, and organize our personal and professional lives. Technology has shaped the modern world as we know it – and our reliance on tech continues to grow.
The tech industry’s importance has not been lost on cybercriminals and nation-state groups, who target tech companies for a variety of reasons: to fulfill strategic, military, and economic goals; to access sensitive corporate data they can hold for ransom or sell on the Dark Web; to compromise supply chains; and much more.
Tech companies are no strangers to cybercrime – they’ve long been targets of adversary activity – but in the past year, these attacks have rapidly increased. Technology was the most targeted vertical for cyber intrusions between July 2021 and June 2022, according to CrowdStrike threat data. This made tech the most popular sector for threat actors during a year when CrowdStrike threat hunters recorded more than 77,000 potential intrusions, or approximately one potential intrusion every seven minutes.
If this sounds familiar, it’s probably because you’ve seen this threat activity in the news – data breaches affecting the technology industry have dominated headlines in 2022. Tech companies of all sizes should be concerned about the potential for adversary activity, because they’re often trying to steal data. Let’s take a closer look at the threats that tech companies should be most worried about, what those adversary tactics look like, and how to stop them.
How Today’s Adversaries Target Tech Companies
Enterprises, small to midsize businesses (SMBs), and startups alike must be aware of the threats they face and how to defend against them.
Adversaries are increasingly moving away from malware in an effort to evade detection: CrowdStrike threat data shows malware-free activity accounted for 71% of all detections between July 2021 and June 2022. This shift is partially related to attackers increasingly abusing valid credentials to gain access and maintain persistence (i.e., establish long-term access to systems despite disruptions such as restarts or changed credentials) in IT environments. However, there is another factor: the rate at which new vulnerabilities are being disclosed and the speed with which adversaries can operationalize exploits.
The number of zero-days and newly disclosed vulnerabilities continues to rise year-over-year. CrowdStrike threat data shows more than 20,000 new vulnerabilities reported in 2021 – more than any previous year – and more than 10,000 were reported by the start of June 2022. This is a clear indication this trend is not slowing down.
A closer look at tactics, techniques, and procedures (TTPs) used during intrusions reveals common patterns in adversary activity. When a vulnerability is successfully exploited, it’s routinely followed by the deployment of Web shells (i.e., malicious scripts that enable adversaries to compromise Web servers and launch additional attacks).
What Can Tech Companies Do to Stop Breaches?
The technology industry is challenged to maintain a strong defense against a constantly evolving threat landscape. Today’s attackers are changing their TTPs to be more subtle, to evade detection, and to cause more damage. It’s up to defenders to protect the workloads, identities, and data their business relies on.
There is no one-size-fits-all model for how cybercriminals conduct their attacks, nor is there a single silver bullet for tech companies to defend themselves against every intrusion. However, a closer look at intrusion activity reveals critical areas of focus for IT and security teams. Below are key recommendations:
- Get back to basics: It is paramount that tech companies have the basics of security hygiene in place. This includes deploying a strong patch management program, and ensuring robust user account control and privileged access management to mitigate the effects of compromised credentials.
- Routinely audit remote access services: Adversaries will leverage any pre-existing remote access tooling at their disposal or attempt to install legitimate remote access software in the hope that it evades any automated detections. Regular audits should check to see if the tool is authorized and if the activity falls within an expected timeframe, such as within business hours. Connections made from the same user account to multiple hosts in a short timeframe may be a sign that an adversary has compromised credentials.
- Proactively hunt for threats: Once an adversary breaches a tech company’s defenses, it can be tough to detect them as they quietly collect data, look for sensitive information, or steal credentials. This is where threat hunting comes in. By proactively looking for adversaries in their environment, tech companies can detect attacks earlier and strengthen their security posture.
- Prioritize identity protection: Adversaries are increasingly targeting credentials to breach tech companies. Any user, whether they’re an employee, third-party vendor, or customer, can unknowingly be compromised and provide an attack path for adversaries. Tech companies must authenticate every identity and authorize each request to prevent cyberattacks, like a supply chain attack, ransomware attack, or data breach.
- Don’t forget about threat prevention: For tech companies, threat prevention tools can block cyber threats before they penetrate an environment or before they do damage. Detection and prevention go hand in hand. In order to prevent cyber threats, they must be detected in real-time. The bigger the IT environment, the greater the need for tools that can help with threat detection and prevention.
The evolution of cybercrime and nation-state activity shows no signs of slowing down. Tech companies must strengthen their defenses and understand an adversary’s techniques in order to protect their workloads, identities, and data, and keep their organizations running.
The author is Chief Technology Officer at CrowdStrike.