Inside the cyber-attack map, an endless list of threats targets nations
- 69% of respondents in Asia Pacific suffered at least one ransomware attack in the past 12 months
- According to CrowdStrike, eCrime is the most common threat activity, making up about 49% of cyber-attacks
Today’s world depends on technology more than ever. Technology’s development and emergence have improved human existence, but convenience has also increased the risk of cyber-attacks. Currently, there are several popular risks on the cyber-attack map, particularly in Asia, including malware, DDoS, and phishing attacks.
To put things into perspective, Asia has continued to experience a rise in cyber-attacks this year. In the first quarter of the year alone, Jakarta, Indonesia, saw more than 11 million attacks, according to Kaspersky research. This figure represented an increase of 22% from the previous year.
With the significant cyber-attacks in Asia, Tech Wire Asia had the honor of speaking with Mark Goudie, Director of Services, APJ at CrowdStrike, to learn more about the rise of cyber threats in APAC and how businesses can combat the increasingly sophisticated cyber threats.
What are the biggest cybersecurity threats in Asia right now? And is the scale of the threats comparable to that in other parts of the world?
There are three types of threat activity we see today:
- eCrime – these are financially motivated attacks carried out by criminal groups
- Targeted – these are state-sponsored intrusion activities that include cyber espionage, state-nexus destruction attacks and generating currency to support a regime
- Hacktivists – Intrusion activity carried out to gain momentum, visibility or publicity for a cause or ideology
When considering these groups, the most prolific is eCrime accounting for 49% of cyber-attacks with targeted activity accounting for about 18% as observed by CrowdStrike in 2021 according to the Global Threat Report.
We also saw a 45% increase in interactive intrusions, an 82% increase in ransomware-related data leaks and observed that 62% of attacks were malware free. From this, we can see that attacks are increasing but they are also becoming a lot more sophisticated in order to evade legacy security solutions such as signature-based antivirus.
Adversaries are also finding more ways to obtain ransom payments through things like lock and leak operations., i.e. using ransomware to encrypt target networks and then threatening to leak victim information via adversary-controlled “dedicated leak sites”.
There are increasing threats to cloud environments as more businesses seek hybrid work environments necessitating a shift to the cloud. When looking at the scale of threats in Asia vs the rest of the world, it’s worth noting that most businesses engage with a complex web of technology vendors and partners who are literally based all over the world. As such, the majority of adversaries are looking to exploit key vulnerabilities within organizations, and not really targeting a specific region.
Data from the CrowdStrike 2021 Global Security Attitude Survey did find that ransomware attacks are continuing to prove effective, with ransomware payments costing APAC organizations an average of US$2.35 million per attack, the highest out of all of the regions surveyed.
In fact, 69% of respondents in Asia Pacific suffered at least one ransomware attack in the past 12 months. Over half (53%) of businesses in the region did not have a comprehensive ransomware defense strategy in place. The other challenge facing businesses in this region is that it’s taking too long to detect, investigate and contain attacks.
On average, respondents in APJ estimated it would take 205 hours to detect a cybersecurity incident. Once detected, it takes organizations 19 hours to contain and remediate.
CrowdStrike encourages organizations to strive to meet the 1-10-60 rule, where security teams demonstrate the ability to detect threats within the first minute of an intrusion, investigate and understand the threat within 10 minutes, and contain and eradicate the threat within 60 minutes.
With the rise of phishing attacks in Asia, why are threat actors carrying out this attack, and what are their motivations? Is it too easy to exploit users with this method?
Successful phishing attacks use a variety of techniques from email to voice to SMS phishing. The motivations are straightforward – to get the recipient to click on a malicious link that will be used to steal important user data such as login credentials or carry out ransomware activities.
Phishing is considered a low-cost method to perpetrate a cyber-attack. From the perspective of an adversary, they can simply trick a potential victim by clicking on a link or sharing sensitive information via voice instead of creating sophisticated methods to break through a complex security system that takes time and money. How they do so is by leveraging social engineering – for example, creating a sense of urgency to achieve success with their phishing attack or by pretending to be a colleague or a government agency for example.
A successful phishing attack can also bypass many security measures as it focuses more on the human part of the process, and not the technology per se.
VPN is known as the common method for organizations to utilize to protect its employees. Is it enough, though, to stop phishing emails?
VPN’s are a common and useful way to authenticate Internet-based users before they gain access to systems containing sensitive data inside the network. Like all security technologies, they need to be configured and maintained properly, however, these are two key areas where some organizations have been caught short. Firstly, the configuration of the VPN must use multi-factor authentication for all user accounts. We have seen many cases where VPNs are only configured for single-factor authentication.
The issue with single-factor authentication is that if the credentials are stolen or are not robust they can be easily used to gain access to the network. Many would be surprised how common this issue can be.
The second issue relates to VPN maintenance. Most of these systems are appliances that have software based on common operating systems such as Linux. Critical vulnerabilities are often discovered in the underlying software and many of these have resulted in credential exposure and authentication bypass exploits. VPN’s are not set and forget they must be properly configured with MFA and have their software maintained with patches.
From our perspective, along with multi-factor authentication there are a number of approaches organizations should adopt to help mitigate phishing attacks:
- Employee awareness training: Employees must be trained to recognize and constantly be on alert for the signs of a phishing attempt, and to report such attempts to the proper corporate security staff.
- Use next generation anti-virus software: Anti-malware tools scan devices to prevent, detect and remove malware that enter the system through phishing.
- Use an anti-spam filter: Anti-spam filters use pre-defined deny-lists created by expert security engineers to automatically move phishing emails to your junk folder, to protect against human error.
- Use an up-to-date browser and software: Regardless of your system or browser, make sure you are always using the latest version. Companies are constantly patching and updating their solutions to provide stronger defenses against phishing scams, as new and innovative attacks are launched each day.
- Never reply to spam: Responding to phishing emails lets cybercriminals know that your address is active. They will then put your address at the top of their priority lists and retarget you immediately.
How can APAC businesses stay ahead of increasingly sophisticated cyber threats?
Cyber threats are evolving all the time, and businesses must change their view on security to first build up their defense in depth, which highlights intensive security measures to protect the company from cyber-attacks. After all, defense is always better than mitigating the after effects of an actual cyber-attack.
Such a strategy consists of three main focal points: prevention; detection; response – when prevention fails, quick detection in the event of a security breach enables a faster response to the threat. A few steps to take to implement the strategy are:
- Be proactive, and engage in threat hunting and threat intelligence to understand the threats that are out in the wild and to actively hunt for them within your environment.
- Provide security awareness training so employees know the dos and don’t of accessing the company network.
- Run tabletop exercises to train and educate the response team such that when an incident happens the response is better coordinated.
- Properly maintain, update and configure critical Internet-facing systems such as VPNs so they do not become a weakness in your defenses.
- Have a well-defined security policy that is understood and enforced across the business
At the same time, organizations need to ensure they have visibility over the network such that threats are not allowed to develop into serious incidents. They should run compromise assessments to identify ongoing or past attacker activity to understand what threats exist or have existed and ensure any vulnerabilities are understood.
Businesses should also have a trusted cybersecurity provider that provides specialist Incident Response services on retainer to enable a rapid response when the worst happens. A retainer can also be used for the ongoing support of a robust security posture by engaging in tabletop exercises, red team exercises, IT hygiene assessments as well as compromise assessments.
Lastly, when in doubt, engage a trusted cybersecurity provider that can support the accomplishment of security objectives.