/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow Us/dq/media/post_banners/wp-content/uploads/2022/09/Balaji-Rao.jpg)
What are the trends to worry about when it comes to cyberattacks? And how to be ready to fight them? Why does ‘knowing your enemy’ matter?
Ask any good toxicologist about the most potent poison in the world and the answer would, somehow, boil down to this adage – Anything can turn into poison—in the right dose. So says Balaji Rao, Country Manager - India & SAARC, Mandiant, a player in dynamic cyber defense and response space, when he warns us about the wrong use of cloud or new technology investments. He may not be an expert in toxicology, but he can surely smell a bad odour or reaction when it comes to the attacks on any organisation’s cyber-immune system. Let’s see what’s mushrooming in this world today.
A lot of studies have come out on what has damaged cybersecurity defence last year? But if you were to look ahead, can you see what’s coming?
We see an evolving landscape here. The last few years have not been easy. There has been a lot of exposure and lot of factors have emerged. Specially geo-political factors. The latest Russia-Ukraine situation and the stance that other countries have taken—remind us of how a war can start with a cyber-attack. We can envisage the unprecedented danger of cyber-threats. I see that cyber-attacks are a very strong weapon – in a global sense, now. It is quite alarming and companies need to be prepared for that.
Are there any new patterns that we need to be wary of?
According to Mandiant Special Report M-Trends 2022, when the initial infection vector was identified, supply chain compromise accounted for 17 per cent of intrusions in 2021. This stood at less than one per cent in 2020. Note that organizations in APAC were notified by an external entity in 76 per cent of intrusions in 2021 compared to 48 per cent of intrusions in 2020. But we also see that the global median dwell time continued to improve in 2021 with organizations now detecting intrusions in three weeks.
Financially motivated intrusions continue to be a mainstay in 2021. The report shows that adversaries were seeking monetary gain in three out of 10 intrusions through methods such as extortion, ransom, payment card theft and illicit transfers. The percentage of financially motivated intrusions dropped to 30 per cent in 2021, however, compared to the 38 per cent of intrusions observed in 2020.
How crucial is data in the current threat ecosystem?
Threat actors put data theft at a priority level as a primary mission objective. In 2021, Mandiant identified data theft in 29 per cent of intrusions. In 32 per cent of intrusions involving data theft (nine per cent of all intrusions) the stolen data was specifically targeted for use as the threat actor’s leverage during negotiations for payment. In 12 per cent of intrusions involving data theft (four per cent of all intrusions) the data theft likely supported intellectual property or espionage end goals.
What about ransomware – is it going up, down or plateauing?
Our report – which gathers data from actual investigations and engagements—has found that the ‘dwell time’ has undergone a massive shift. This is the time window between the entry of an attack vector and the point at which starts causing havoc. In 2020, the median dwell time was about 76 days in APAC. It came down to 21 days in 2021 and now it could be almost five to six days. That says a lot about the increasing sophistication among attackers. There are even different models of ransomware now—like Ransomware-as-a-Service. So it’s not going down at all. In fact, if anything, enterprises now have less time to react to such attacks. The only way out is a combination of preparedness tactics and simulation of scenarios.
Are Purple teams gaining prominence now – in this scenario? Is a mix of offence and defence the right way to prepare against threats?
What we have seen – on the ground—is more demand for red team trainings and need for simulation drills. When it comes to human skills – there is a huge gap in the industry—specially in deep-skill-sets and high-end malware expertise or threat-hunting expertise.
What did we learn – new- from SolarWinds and Log4j attacks?
The M-Trends report indicates that adversaries frequently leveraged exploits in 2021 with 30 per cent of all intrusions involving exploit activity. In 2021, major vulnerabilities were discovered in products such as Microsoft Exchange, SonicWall’s Email Security (ES) product, Pulse Secure VPN appliances and Apache’s Log4j 2 utility among others. It’s notable how adversaries exploited these vulnerabilities to initiate and further intrusions. Mandiant experts even observed adversaries leverage vulnerabilities to deploy ransomware.
Log4j was an underlying layer, so it could not be detected easily. Mandiant Research could, but most tools in the market could not. That’s the lesson- automate preparedness at a wide and deep level instead of doing point-checks. There is a need for consolidation. One needs a holistic view if one wants to check how well prepared an enterprise is. It’s not just about a single pane of glass. It’s about a larger pane of glass. I see a lot of cloud-security assessments but the way to make them really work is to make them continuous and holistic.
Is there anything new in your portfolio—keeping in mind these new worries and trends?
Our basic offerings are incident response services – based on intelligence gathered from the industry and insights that over 300 analysts galvanise by tracking attackers – this is a strong level of threat intelligence. When an attack happens, you need to know the ‘what’ and ‘where’ of it, but also ‘what it could be’ and the ‘modus operandi’ of the attack. That’s where Threat-Intel comes in handy. Our advanced simulation offerings can show not just loopholes in an environment but also whether an attack would be successful or not. This is where organisations can be well-prepared about patches, about reconfigurations and about changing security postures in a timely manner. These scans show automatic results on vulnerabilities as well as loop-holes due to Shadow IT. This is crucial—as while cloud has become an easy choice for employees, an organization needs to know whether security protocols are being followed or not.
The most important part is security talent. Any customer I speak to today is facing a challenge with the skills part. That’s where we offer Managed Services wherein if you don’t have a skill-set, we can come in and help. For example, we can take care of reducing the ocean of L1 alerts to the L2 and L3 levels so that you can focus on that area. We can also give services for deep-dives.
Why are attackers targeting security companies now—as seen with the CrowdStrike Callback phishing incident or the claim by Lockbit on theft of Mandiant data?
There isn’t enough evidence to prove that claim. It is more of a claim and no-follow-up evidence – as we have shared earlier.
What’s your advice to enterprises about cyber-security?
Know your enemy. It’s very important—in any battle—to know your adversary well. Test, simulate, validate, use both red and blue teams – and keep a continuous check on your strengths and weaknesses. For ex- there is no denying that cloud brings a lot of efficiency, cost savings and elasticity – but it can also lead to exposure. It is an external facing surface. In India, Cloud adoption is fast but more assessments should be done. You need to have your eyes open from a security perspective – all the time. Do these checks on a weekly-monthly basis. Today, we are living in an assumed-breach scenario. Nothing is 100 per cent safe. Can you stop an event even a day before—with continuous preparedness? That’s the way to look at it.
Balaji Rao
Country Manager - India & SAARC, Mandiant
By Pratima H
pratimah@cybermedia.co.in