Austin Murphy, CrowdStrike: ‘threat actors are getting bolder, stakes are higher”
2021 will likely become the record year for cyberattacks, calling for effective security solutions to tackle cyber threats.
In 2021, the number of breaches has already outgrown the values of 2020, turning cyberattacks into a systematic threat, according to the report by Forbes. Online dangers such as ransomware and malware are also accelerating, with a new attack predicted to happen every two seconds. However, these hazards are just the tips of the iceberg.
Austin Murphy, Vice President at CrowdStrike, discussed with us what cyber threats already exist and are likely to emerge in the nearest future, and how the company’s cloud-native Falcon platform can help combat them.
CrowdStrike has grown exponentially since its launch in 2011 and is now trusted by many well-known organizations. What were your major milestones along the way?
CrowdStrike has emerged as a leader over the past decade - driven by our scalable, extensible Falcon platform approach that leverages the power of the cloud and stops breaches in a continuously evolving threat landscape.
Our competitive advantage over other security vendors (both legacy and other next-gen providers) is that we developed the first cloud-native security platform and not just another security point solution. Ten years ago, many disagreed with us for sticking to our cloud-native vision, and we now have the most powerful Security Cloud in the industry. Our growth continues on a strong trajectory fueled by our powerful, cloud-native Falcon platform, our ability to stop breaches, and our growing brand that has set the gold standard for cybersecurity.
Customers and analysts alike continue to sing our praises. In fact, CrowdStrike earned a Leader position in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms and positioned furthest to the right. We also received the highest score for “Lean Forward” Organizations in the 2021 Gartner Critical Capabilities for Endpoint Protection Platforms Report, and we were also named a Leader in Endpoint Security Software as a Service in The Forrester Wave Q2 2021 report, receiving the highest scores possible within 17 criteria in the report. In 10 years, CrowdStrike has become the gold standard in modern cybersecurity solutions, establishing ourselves as the Salesforce of security with a platform that is powered by cloud-scale AI and threat data at scale.
You have been providing incident response over the years. Can you share some of the cases that stood out the most?
Organizations often lack the in-house skills to develop or execute an effective incident response plan on their own. If they are lucky enough to have a dedicated team, they are likely overwhelmed by tons of false positives from their automated detection systems or are too busy handling existing tasks to keep up with the latest threats.
CrowdStrike Professional Services teams work closely with organizations to develop IR plans tailored to their team’s structure and capabilities, helping customers improve their incident response operations by standardizing and streamlining the process. We also work with customers to battle-test their playbooks with exercises like penetration testing, red team blue team exercises, and adversary emulation scenarios. Keeping our customers’ data secure is of the utmost importance, and that’s why we can’t really get into specifics surrounding customers - we need to protect their privacy in the hopes they are not targeted again.
In your opinion, what type of cyber threats should organizations, as well as individual users, be prepared to deal with in the near future?
The quickly increasing rate and size of ransomware attacks are definitely some of the most pressing risks. Today’s threat environment highlights the need for organizations around the world to transform their security and prioritize a modern cybersecurity strategy in order to protect their digital assets, identities and core infrastructure. This is something CrowdStrike has been talking about for years and one of the reasons we were founded.
High-profile breaches and vulnerabilities like RNC, Kaseya, Sunburst, Pipeline and infrastructure attacks and Zero Day vulnerabilities in Microsoft Exchange are only the tips of the iceberg. Threat actors are well resourced and becoming more sophisticated. Ransomware attacks have become a big business for hackers, who find relatively unsophisticated ways into companies’ networks through phishing or other methods. Organizations must understand that these headlines are no longer warnings but a reality of what is in their future if they have not established a mature cybersecurity strategy.
This year alone, CrowdStrike has observed:
- 1,161 Big Game Hunting incidents, which is target enterprise ransomware, so far with about 45 targeted ransomware events per week.
- $164M in ransom demands with an average cost of $6.3M.
- As of late September, we observed in our malware feed 159 samples tied to big game hunting and ransomware operations.
How did the pandemic change the nature of cyberattacks? Did you add any new services to combat emerging threats?
The pandemic has not only impacted the global economy, but has also generated more opportunities for cyber adversaries. Cybersecurity is a necessity and remains mission-critical to organizations as it provides business resiliency and is vital for the continuity of operations.
One of the impacts of our global pandemic was that in-person payment card transactions decreased. As a result, we observed some threat actors that previously focused on the theft of PCI data from retail POS terminals shift towards ransomware operations.
With companies now dealing with workforces outside of the office, the threat landscape for organizations has grown exponentially. We continue to hear from customers that avoiding a breach is more important now than ever before. Amid the pandemic, a breach could be the final nail in the coffin for their business. CrowdStrike’s Falcon platform is cloud-native, not requiring physical infrastructure, it allows customers to easily and remotely deploy, manage and protect their workloads at scale wherever their employees are located. This makes the Falcon platform an indispensable tool in combating threats in today’s work environment.
Before the pandemic, we saw significant momentum toward the cloud. During and post-pandemic, it is nothing short of a stampede, and this will continue for a while. Some estimates suggest the move to the cloud was accelerated by four or five years due to COVID-19, which means an increase in remote access, security holes, vulnerabilities, threats, and attacks. It’s not that CrowdStrike technology is merely more relevant today -- it is now essential. Some experts say today’s security environment post-pandemic is the new normal. To me, that just signals a kind of complacency. We’re in a new normal until something shakes it up, and we’re forced to adapt again. For us, it’s never the new normal, but the next normal. We know that “normal” is very transactional and temporary. This is why our adaptable, practically organic platform is so vital. We scale as the threats scale, making CrowdStrike that much more effective.
Recently, there has been a lot of discussion around state-sponsored cyberattacks. How are they different?
Nation-state adversaries remain active while taking advantage of global issues spilling into cyberspace. We see activity from sophisticated nation-state threats coming out of Russia, China, North Korea, and Iran on a daily basis. In particular, the telecommunications industry continues to be a popular target for the nation-states, specifically China. Nation-state actors tend to continually evolve their tactics, techniques, and procedures (TTPs) to evade detection, and many have customized their toolsets to remain veiled in the networks of many industries. Additionally, there is an increasing blurring of the lines between nation-state and eCrime actors, so it’s essential to employ technology that can thwart attacks swiftly.
You often emphasize the importance of proactive threat hunting. Can you briefly describe this practice?
Proactive threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network 24/7/365. Managed threat hunting digs deep to find malicious actors in an environment who have slipped past the initial endpoint security defenses. This practice can prevent or rapidly detect and remediate intrusions.
The process of proactive cyber threat hunting can be typically summed up via our SEARCH methodology:
- Sense: Threat hunting starts with collecting data. Broad and deep telemetry that captures a wide range of activity and behaviors gives hunters the pool of information that will serve as the foundation for the team’s threat hunting efforts.
- Enrich: Data alone is merely the starting point. Without context, having a massive pool of raw security data can be more of a hindrance than a help. Putting data in context enables hunters to extract insights from their data sets quickly and efficiently.
- Analyze: With the foundation in place, effective threat hunting can begin. Threat hunting involves diving into this enriched data, leveraging statistical methods combined with human intuition and experience to form and test hypotheses around where and how a determined attacker might gain a foothold. To do this effectively requires analysts who have the ability to think like a sophisticated attacker and then simultaneously form ideas of how a defender might counter. In many ways, it can be like playing chess against yourself.
- Reconstruct: Of course, simply identifying a threat is not the final goal of threat hunting; a good deal of work remains in order to give a responder the information they need to take action. To understand the full scope of the intrusion, it must be reconstructed from the supporting data. Doing effective reconstruction requires threat hunters to ask themselves a series of questions (When did this start? How far did it spread? What damage was done? What users were involved?), and to get answers in real time. It also requires a system to gather and connect that data into a cohesive picture, stitching all the pieces of the intrusion together into a single attack narrative.
- Communicate: Once the scope of the intrusion is understood and documented, it’s time to take action. Generally speaking, the threat hunting team sounds the alarm on intrusions that need to be handled, but are not themselves responsible for the work of incident response. That work falls to others in the SOC, yet all this hard work is wasted if these individuals don’t get all the information and supporting context they need in time to act and prevent a breach.
- Hone: Smart organizations realize that every successful threat hunt represents an opportunity to learn and improve. New and novel TTPs that are discovered during threat hunts highlight areas where automated detection techniques can be improved to detect, and ideally prevent, intrusions more quickly and effectively. Hunts that took minutes may be streamlined to take seconds next time.
True security in the face of cyberattacks is much more than IT hygiene and checking a compliance box. True security is proactive security - which is achieved by learning from threats against you and other organizations at the same time and in real-time. Proactive security requires additional support from external partners and the ability to leverage capabilities that detect hands-on attack measures as the attack is happening.
Besides providing various security solutions, you also specialize in ransomware. What are the key best practices to prevent these attacks?
Ransomware-as-a-service is changing the game. Threat actors are getting bolder, stakes are higher, ransom costs and extortions are growing exponentially. The CrowdStrike Falcon Platform is the leading endpoint protection solution that unifies the intelligence, technology and expertise needed to successfully stop ransomware.
With the rising threat of ransomware attacks, now is the time to ensure that every organization invests in a cloud-native, always-on cybersecurity platform. Speed is the name of the game - for both the offense and the defense. And when you don’t have the resources or tooling to operate with speed, then lean on a partner with the depth and breadth of knowledge and experience to deploy the 1:10:60 rule: one minute to detect, ten minutes to investigate, and sixty minutes to remediate. The outcomes achieved by this benchmark can only be reached if you’re able to clearly see the entire picture, understanding the full context of how local attacks fit in against the broader global threat landscape.
CrowdStrike’s Falcon platform is proven to stop ransomware. We follow four steps to ensure that we can see and stop even the stealthiest of attacks - Prevent, Detect, Respond, and Predict.
- The Falcon platform prevents ransomware in real-time by harnessing the power of cloud-scale AI and a massive data set of 6 trillion events per week.
- Falcon detects and identifies ransomware behaviors with indicators of attack and stops the rapid encryption of files before it takes hold.
- We are always prepared to respond to ransomware attacks, with CrowdStrike’s seasoned security experts standing by to assist.
- Our platform is able to predict and understand the adversary to know what to look for and anticipate the next serious threat.
Which cybersecurity solutions do you see trending in 2022?
Everyone seems to be talking about (Extended Detection and Response) XDR, but there is also a lot of confusion and misrepresentation used within the industry when touching on XDR. Complete XDR must be built on the foundation of EDR, enriching EDR data with the most relevant telemetry from vendor-specific security data to enable enterprise-wide threat detection, investigation, response, and hunting across the entire enterprise security stack. A lot of other vendors in the space aren’t doing true XDR but are claiming they are. We just introduced our own XDR module that solves the fundamental big data challenges of XDR and provides complete visibility and unmatched protection across the enterprise - this provides massive benefits so our customers are empowered with advanced threat detection that you can’t find anywhere else on the market.
And finally, what’s next for CrowdStrike?
CrowdStrike aims to continue building out our platform and its various modules to provide our customers with the most comprehensive solutions on the market. CrowdStrike has grown rapidly over the past few years, but we have not lost sight of our mission - to stop breaches and protect our customers.