According to the Global Threat Report 2019[1], 2018 appears to have been very different from the previous year in many respects. While certain high-profile events in 2017, such as WannaCry and NotPetya, were absent in 2018, the headlines were dominated by a series of indictments by the American Attorney General against individuals linked to cybercriminals identified as being in the pay of a number of nation-states. Perhaps because of these public revelations, the ongoing development of tools and changes to techniques, tactics and procedures (TTP) made 2018 a year of transition for many cybercriminals.
Cybercriminals in the pay of nation-states targeted dissidents, regional opponents and foreign powers to collect intelligence for decision-makers: North Korea remained active in the area of cyberwatch collection and the production of currencies. Iran continued to focus on its operations against other Middle Eastern and North African countries, in particular its regional enemies in the Gulf Cooperation Council (GCC). Iranian cybercriminals were also suspected of developing new cell phone malware in order to target dissidents and ethnic minority groups. In China, CrowdStrike observed a significant increase in activities targeting the United States, probably due to the growing tensions between the two countries.
The operations carried out by these cybercriminals include the distribution of crimeware, banking Trojan horses and ransomware, compromising points of sale and spear phishing campaigns. The most significant cybercrime trend in 2018 was the major increase in "big game hunting", which combines advanced, targeted attack techniques using ransomware against major corporations for massive financial gains. Other evidence of the evolution of the eCrime ecosystem was the extensive use of ransomware as service (RAAS).
Last year, the Global Threat Report highlighted a new important indicator: "breakout” time, measuring the speed by which cybercriminals move laterally inside their victim’s environment after the initial breach. The global average propagation time observed by CrowdStrike in 2018 for all breaches and cybercriminals was 4 hours 37 minutes. However, this statistic provides only an incomplete picture of the situation. Although the propagation time is obviously not the only indicator that can be used to determine cybercriminals’ degree of sophistication, it is an interesting way of assessing their operational capabilities. It is also useful for security professionals wishing to assess their average detection, investigation and repair time (known as the “1-10-60 Rule").
This new rule of three must become the standard when it comes to cyber-security. Thanks to CrowdStrike’s next-generation EDR solutions, businesses now benefit from very high speeds allowing them to detect an intrusion within one minute (1), conduct a full investigation in less than ten minutes (10) and expel an intruder from the system under an hour (60). In this way, companies applying it will be able to eject an opponent before it leaves its initial point of entry and starts moving laterally toward its real target inside their network.
1Drafted by Crowdstrike, the Global Threat Report 2019 presents a selective analysis highlighting the most significant cyber threats trends and events for the year 2018.