In a rapidly evolving cyber threat landscape, Australian businesses increasingly find themselves in the crosshairs of cyber criminals and state-nexus adversaries alike. Nick Lowe, a Director at CrowdStrike, reflects on the threats facing the professional services industry and why the threat should be taken seriously.
As the Australian Cyber Security Centre 2020-2021 annual report reveals, cybercrime in Australia is only growing more prominent.During the 2020-21 financial year, over 67,500 cybercrime reports were made via ReportCyber, an increase of nearly 13 per cent from the previous financial year. As it stands, one cybercrime report is made approximately every eight minutes in Australia.
Australia’s larger capital centers on the eastern seaboard, where a majority of the Australian population and companies are located, continue to be the main areas for reported cyber security incidents and cybercrime activity.
Professional services companies are a potentially valuable target for adversaries because many have access to and store sensitive information such as intellectual property from themselves and third parties, that may have intelligence value or could be readily monetized.
State-nexus adversaries are often well resourced to continually evolve their tooling to evade detection. This creates a challenge for organizations relying only on technology-based defenses searching for known threats.
‘Wicked Panda’ has been one the most prolific and effective China-based adversaries from the mid-2010s into the 2020s and is known to target professional services firms.
Using several open-source and custom tools, they can breach a firm’s network, disable or modify its network security protocol, and move laterally within it. From here, it can deploy ransomware or steal sensitive information on behalf of another party depending on the objective of the specific attack.
In CrowdStrike’s recent annual ‘Falcon OverWatch Threat Hunting Report 2021’, evidence was found of an active intrusion by Wicked Panda in the systems of a professional services firm. The group attempted to exploit the firm’s IT environment and execute a malicious payload (but was stopped by the Falcon platform).
Another adversary targeting the industry is known as ‘Prophet Spider’. This group is a prolific access broker, they specialise in breaching networks with the intent to sell that access to others – potentially presenting multiple threats to a single firm. Prophet Spider has earned a reputation for gaining access to firms’ IT environments by compromising vulnerable web servers and then leveraging a variety of unfamiliar tools to achieve its objectives.
Because of the potential for Prophet Spider to on-sell access to any number of other adversaries, falling victim to them opens organizations up to a wide variety of risks including the exposure of valuable information, being impacted by ransomware in the form of either data extortion or data encryption, or even cryptojacking – the unauthorized use of a person’s or organization’s computing resources to mine cryptocurrency.
To comprehensively address these threats, it is not enough just to know they exist – it is critical to have a detailed understanding of the tactics, techniques and procedures that adversaries are employing to compromise victim environments.
Human-driven threat hunting looks for behaviours potentially associated with malicious activity, rather than known markers of malicious activity. It searches for the unknown unknowns that technology on its own cannot. Because of this, threat hunting can identify threats earlier before an adversary can establish a foothold in the environment.
There is no silver bullet to combat hands-on eCrime or state-nexus intrusions. Behind every hands-on intrusion there is, by definition, a human. An adversary ready to adapt and pivot to bypass even the most robust and secure technology-based solutions. That is why it is essential that organisations take a holistic approach to cybersecurity, one that augments technology with human threat hunting.
First and foremost, basic security hygiene matters. In the case of the Wicked Panda intrusion, the adversary gained access using a known vulnerability. Ensuring externally facing servers are fully patched can help mitigate against opportunistic attacks. Similarly, strong password policies and the use of multi-factor authentication are critical in the fight against access brokers like Prophet Spider intent on stealing and on-selling access to victim environments.
Further, it is crucial that full endpoint protection is deployed across all endpoints. Adversaries are skilled at mapping victim environments and it is common to see adversaries deliberately operating from endpoints that are inadequately secured. Protecting your most valuable assets requires visibility across all of your assets.
With these sound foundations in place it is vitally important for firms to conduct proactive and continuous threat hunting, whether in-house or outsourced to a trusted provider. The threat landscape continues to evolve as new vulnerabilities emerge and adversaries develop new tooling. Threat hunting looks for the last 1% of intrusions that evade even the most comprehensive technology-based defences.
Cybersecurity breaches are increasing in the professional services industry. If information is compromised through eCrime or a targeted intrusion, it can lead to client mistrust, a damaged corporate reputation, loss of productivity, employee discord and financial repercussions.
For professional services firms, the stakes are high and adversaries are only becoming more sophisticated as they leverage new tools and methods to inflict damage. Because of this, it’s critical for firms to expect the unexpected and get on the front foot with a proactive approach to defending themselves and their clients.
With a holistic cybersecurity strategy, businesses can remain vigilant and well-equipped to navigate this evolving threat landscape.
