C-suites are urgently tabling cybersecurity as an item for discussion. While cybersecurity was once only within the purview of security or IT teams, business leaders can no longer ignore the wide reaching implications of a cyberattack in today's threat climate. Cyberattacks are no longer simply a business disruption — they carry the risk of significant remediation costs, government mandated compliance activities, reputational damage, and even class-action by impacted parties.
Part of what makes today’s threats so concerning is the proliferation of hands-on, also known as “interactive”, intrusion techniques. It’s important to understand that at the heart of every attack is a human on the other end of the keyboard. Based on research by CrowdStrike, interactive intrusions are defined as malicious activities where an adversary actively interacts with and executes actions on a host to achieve their goals. Unlike automated malware attacks that rely on the mass deployment of scripts and tools, interactive intrusions leverage the ingenuity and problem solving skills of human adversaries. Human adversaries are able to operate in ways that mirror expected user and administrator activity, making them much harder to detect and defend against using automated technology-driven detections alone.
Human-driven defences, like continuous threat hunting, are critical in today’s threat landscape. Threat hunters are skilled at differentiating between routine activity, and malicious behaviours. They use their deep expertise and understanding of threat actor techniques combined with contextual data and structured methodologies specific to that environment to identify interactive intrusions that explicitly attempt to evade detections. Threat hunters also closely track the changes in the threat landscape to predict and preempt changes in adversary behaviours so that they can search for as yet unknown threats.
The profile of interactive cyber attacks in 2023
In recent years, cyber adversaries — particularly financially motivated eCrime adversaries — have matured their business practices and developed their skills and tradecraft. This has resulted in a sustained increase in the volume of adversaries using hands-on tactics in the pursuit of their objectives, increasing by 50% globally in 2022.
Adversaries' have demonstrated agility in adapting to the changing technology landscape, quickly developing cross-platform proficiency and cloud-consciousness. It is not uncommon for OverWatch to uncover an adversary move from a Windows to a Linux or Mac device — seamlessly adjusting their command line entries to adapt to the new system. OverWatch is also seeing, with increasing frequency, adversaries pivoting from traditional IT assets into the cloud after finding unsecured cloud-credentials. The impact of these trends is that the threat of interactive cyber attacks is more pervasive than ever, and almost nothing is beyond the reach of a motivated adversary.
It is crucial, however, that we dispel the misconception that interactive cyber attacks are perpetrated by only the most highly skilled adversaries — often associated with state-sponsored activity. In reality, the developing ecosystem has opened the door to a whole new class of adversaries. We’ve seen a trend around access-broker activity recently. In fact, sophisticated eCrime groups have built businesses off the sale of compromised credentials and pre-established access as well as step-by-step playbooks to enable adversaries of all skill levels to conduct hands-on intrusions.
Many organisations believe themselves to be immune to the threat of interactive intrusions because they do not consider themselves to be a natural target of state-nexus actors. The reality is that any organisation, of any size, in any region can fall victim to an interactive intrusion. OverWatch witnesses this reality daily.
Defend and protect your organisation against faceless enemies
To defend against the surge in interactive intrusions campaigns, organisations need to take a multi-layered approach to cybersecurity.
Unify and deploy critical protections through advanced technologies — this includes threat detection and response technologies, such as endpoint detection and response (EDR), integrated identity threat protection, device management, and continuous monitoring for IT hygiene issues like misconfigurations or unpatched vulnerabilities. Crucially though, technology alone cannot detect all threats, a human-driven detection capability is crucial for uncovering the last 1% of threats that work to evade technology based defences.
Enlist end users in the fight against interactive threats — end users should receive regular training on effectively recognising and responding to cyber threats. Social engineering remains one of the most common techniques for gaining initial access to victim networks. Adversaries are also continually developing their social engineering techniques to increase their success rates.
Some examples that OverWatch has seen recently include; sending highly targeted phishes over social media disguised in job descriptions, adversaries making phone calls direct to victims in what is known as voice phishing or “vishing”, there has also been a spate of attacks using multi factor authentication (MFA) fatigue, effectively spamming a user with MFA requests until they approve the request.Employee cybersecurity training programs should educate employees about both common and less common security risks, promote responsible online behaviour and outline steps to take when they believe an attack may be in progress.
Create a robust cloud infrastructure — organisations can also reduce their overall risk by keeping systems up-to-date and identify potential weaknesses before they are exploited. These cyberattacks often expose vulnerabilities in the business’ network security architecture that will require a system in place so that businesses can take steps to mitigate the risk.
As threat actors are becoming ever more adaptable, advanced, and agile to defences, companies today should recognise that substantial assets and value need to be invested in hardware and software approaches when defending against potential cybersecurity attacks.
There is no time to waste, and it is all hands-on deck.
