Access brokers help boost cyber crime profits
Roland Daccache, systems engineering manager – META at CrowdStrike. (Photo: Julian Goldswain)
Organisations now face the real risk of double or even triple extortion, with data being leaked and extracted from the environment and used for later extortion after a ransomware attack. In addition, ransomware attackers are demanding ever higher ransoms from their victims, with a 62% rise in average payouts last year.
This is according to Roland Daccache, systems engineering manager – META at CrowdStrike, who was speaking at the ITWeb Security Summit in Sandton this week.
“Cyber attacks today are performed by full time employees who hack for a living, and many new attacks are fileless, or malware free: they exploit vulnerabilities and existing sandboxes and firewalls miss these types of attacks.”
Nation state activity is also picking up among a general tremendous rise in cyber crime, he said. “Year on year, there has been a 400% rise in e-crime activity and as many as 65% of attacks are not reported. So it’s dark and grim out there and what we read in the news is not the whole story,” he said.
Daccache noted that hacking was made easier when criminals had valid accounts to access networks, making stealing valid accounts and selling them a lucrative business. “Identity is the Holy Grail for attackers. On the deep dark web, access brokers are selling credentials on criminal forums and doing the heavy lifting that saves attackers a great deal of time,” he said. “Chances are if you search for your organisation on a criminal forum, some credentials are going to pop up.”
Access brokers play a vital role in the e-crime ecosystem, and are helping spur the rise of cyber crime, he said. Identity compromise at the core of more than 80% of cyberattacks last year, he said.
Daccache noted that it was harder to detect access achieved using valid credentials and legitimate business tools. “62% of attacks are malware free, using existing sets of tools, causing a huge blind spot for organisations,” he said.
Once inside the organisation, attackers were moving faster than ever, he said: “It used to take around 10 hours for lateral movement through the organisation, and it takes less than two hours today. That means you could leave work for the day, and within two hours get a call saying that half of your machines have been encrypted. That’s how efficient the threat actors are.”
Daccache said: “We need to rethink how we spend our cyber security budgets, and focus on what the attackers are after, and what their end goals are. If we’re spending just on firewalls and sandboxes, shiny tools and SIEMs and not focusing on what the attackers are after, we are probably missing the big picture. Organisations need to look at how they secure their identity stores and data, and should not overlook dormant threats in forgotten systems and data.”
“At CrowdStrike, we stand in the shoes of the attacker, look at how attacks are performed, and try to stop them at every stage, starting by hiring some of the best minds in the world and monitoring threat actors and sector risks, and then implementing Zero Trust across the organisation and in the cloud,” he said.