Interview

Cyber espionage shows no signs of slowing down: Michael Sentonas, CrowdStrike

The bears, pandas, kittens and chollimas are out in the open, and the military top-brass is apprehensive. Michael Sentonas, VP of Technology Strategy at CrowdStrike, gives us a dekko at the cyber espionage threat landscape.

CrowdStrike.png

While Balakot, a quaint little town in Pakistan’s Khyber Pakhtunkhwa province, became the eye of the storm in a global diplomatic tussle, a very different sort of warfare was playing out on the dark side of the web – that of cyber espionage.

The role of cyber in the midst of a conflict situation could have very serious implications, which are not limited to the relatively-harmless defacement of state-owned websites.

Former army top-brass, for instance Lt. General Hooda, in a statement to IANS, said that with critical infra and military installations getting connected through the internet, threats of cyber attacks are becoming increasingly lethal and that India is very much at risk.

To get a read on how serious the problem of cyber espionage is and what can be done to mitigate espionage threats, we speak to a cybersecurity front-runner that processes 1 trillion events a week across 176 countries, thus giving it a holistic and true picture of the threat landscape. 

Michael Sentonas, VP of Technology Strategy at CrowdStrike, in an exclusive interaction with CSO India, reveals that leveraging adversarial AI is one way cyber espionage perpetrators can bypass security products that are reliant exclusively on AI and ML for detection of malware.  

Edited excerpts: 

How serious is the problem of cyber espionage? Could you give a quick run-through of the cyber espionage space?

The problem of cyber espionage continues to show no signs of slowing down despite some recent indictments against several named nation-state actors. In diplomatic channels and the media, several nation-states gave lip-service to curbing their clandestine cyber activities. But behind the scenes, they doubled down on their cyber espionage operations – combining those efforts with further forays into destructive attacks and financially motivated fraud throughout 2018.  

Stealing information and intelligence gathering is the goal of a number of nation-state actors. And every business sector has been targeted including banking and finance, telecommunications, oil and gas through to managed service providers, defence contractors and think tanks to name a few.  

...AI models can determine a file’s “maliciousness” with no previous knowledge of the file, relying instead on analysis of the file’s innate properties. With sufficient quality data available, AI techniques easily outperform traditional signature-based or indicator of compromise (IOC)-based prevention approaches.
Michael Sentonas
VP of Technology Strategy, CrowdStrike

In 2018 we saw some landmark announcements with the US government charging Chinese intelligence officers with conspiring with hackers. The US Justice Department arrested an alleged spy for China's Ministry of State Security on charges of economic espionage and attempting to steal US aviation trade secrets.  

This problem has become a critical concern of a number of governments around the world following ongoing targeted intellectual property and confidential business and technical data theft for unfair competitive advantage.
 
Which sectors or organizations are typically targeted by espionage proliferators?

Every government and organization can be a target of hostile foreign intelligence operations. Over the course of 2018, CrowdStrike Intelligence identified a number of targeted intrusion campaigns by China, Iran and Russia. These were focused on the telecommunications sector that likely supported state-sponsored espionage activities. 

An increasing number of nation-state actors are engaging in intelligence gathering operations and every sector has been and continues to be a target as economic and national security ambitions continue to drive this activity.  

Past examples of targeted sectors include government, defence contractors, think tanks, high tech, education, manufacturing, automotive, aviation, hospitality, media, pharmaceuticals, telecommunications through to the energy sector, transportation, banking and finance, healthcare and more.
 
The US, quite recently, warned its allies about Huawei leveraging 5G to enable cyber attacks and espionage by the Chinese government. What’s your take on this – is the paranoia justified?

“The problem of cyber espionage continues to show no signs of slowing down despite some recent indictments against several named nation-state actors.”

The US along with a number of other countries have cited the potential for espionage as the reason for not using certain technologies. The concern stems around capability to inflict adverse consequences. And like any business risk decision, if a risk cannot be acceptably managed, then it is perfectly acceptable to not accept the risk.  

More recently, further concerns have been raised around vulnerabilities in existing Huawei products, which in some cases have not been fixed despite being previously identified as problems. 
 
With hackers using emerging technologies and leveraging AI, what can organizations do to stay one step ahead in the game?

Attackers will always look to innovate. Leveraging adversarial AI is one way they will look at to bypass security products that are reliant exclusively on AI and ML for detection of malware.  

A significant challenge for businesses is that legacy security technology is too slow to stop cyber attacks in time. In most security scenarios, AI enables capabilities that go far beyond identifying known threats. 

AI models can determine a file’s “maliciousness” with no previous knowledge of the file, relying instead on analysis of the file’s innate properties. With sufficient quality data available, AI techniques easily outperform traditional signature-based or indicator of compromise (IOC)-based prevention approaches, which retroactively seek out artefacts an attacker leaves during a breach.

However, there are many breach scenarios that happen today that require behavioural analysis to isolate threats based on observing the actions taken. 

Consider this: 40 percent of intrusions don’t actually involve any malware, but instead, leverage stolen credentials and living-off-the-land techniques like the use of PowerShell and legitimate Windows tools, which is why you need security solutions that cover the entire threat lifecycle.  
 
With IoT gaining significance, what is the next wave of technology in end-point protection? What can CISOs do to ensure that the entire data path – right from the end-point to the datacenter is protected?

Adversaries will continue to target traditional endpoint technology through to critical infrastructure and in the future IoT devices. Every device and platform needs to be secured, from laptops, workstations, servers, cloud workloads, containers through to mobile devices as an example. 

To stop breaches, it is important to combine domain knowledge of the threat landscape, actionable intelligence, advanced security services and endpoint protection technology. This includes the requirement for visibility, hygiene, threat prevention, application monitoring through to proactive threat hunting combined with threat intelligence.  
 
What sets CrowdStrike Falcon Intelligence and CrowdStrike Falcon OverWatch apart from cyber espionage hunters and other solution providers?

CrowdStrike was established in 2011 as a direct result of the inefficiencies and shortcomings of established products and solutions dominating the cyber market. 

As the only endpoint security solution to be built 100 percent in the cloud, CrowdStrike is able to provide customers fast deployment across users, reduction in friction and costs, and infinite scalability that can grow with an organization of any size.  
A critical component of the CrowdStrike platform is the CrowdStrike Threat Graph, a massively scalable, cloud-based graph database technology processing 1 trillion events a week across 176 countries.  

The CrowdStrike Intelligence team includes an elite team of threat analysts, security researchers, cultural experts and linguists that work together to provide an in-depth and historical understanding of adversaries, their campaigns and their motivations tracking nation-state, eCrime, and hacktivist actors.  

A critical component of the CrowdStrike Falcon platform is Falcon OverWatch. This service is comprised of an elite team of security experts who proactively hunt 24x7, investigate and advise on threat activity in a customer environment providing an additional layer of oversight and analysis to ensure that threats don’t get missed.