The threat landscape is changing. Crimeware, a class of malware designed specifically to automate cybercrime, is growing in prevalence. It’s often provided as a service or a pre-made, easy-to-execute kit that hackers can purchase on the Dark Web and use to spread their attacks far and wide. Examples include the rise of ransomware-as-a-service (RaaS) and even types of advanced persistent threats (APTs) that can live undetected within an organization’s network for many months, silently stealing confidential data. These types of automated and sophisticated threats are increasingly being used to attack critical infrastructure and our global supply chains. In fact, in its “2021 Global Risks Report,” the World Economic Forum named Cybersecurity Failure as the fourth most pressing risk facing the world today.
To understand the threat landscape and how these incidents are investigated and responded to, we sat down with Cristina Vatamanu, Senior Team Lead, Forensics & Investigation in the Bitdefender Cyber Threat Intelligence Lab for a Q&A.
Tell us about your role as a cybersecurity forensic investigator. What does the profession entail, and what do you like most about it?
Cristina: In my role at Bitdefender, I work with threat researchers and forensic engineers to investigate targeted attacks against high-profile victims and sophisticated APT attacks carried out by nation-state-sponsored cybercriminal groups. My team and I collaborate closely with law enforcement agencies, providing support and forensic evidence to help them solve cases. We are also working closely with private companies that have reached out to us because they’ve experienced a breach. We help investigate the incidents, providing them answers as to what exactly happened, how the attack was carried out, and what damage has been done. Most importantly, we help them take action to prevent such attacks in the future.
The most exciting aspect of my job is coming to work each day knowing that I’m helping catch bad guys – or at the very least, making their lives much more difficult. One example that comes to mind is the Cobalt Strike threat that has gained prominence in the last few years. Cobalt Strike is a legitimate security tool used in penetration testing. However, it has been co-opted by cybercrime groups and used to compromise thousands of organizations around the world, particularly in the financial sector. We were contacted by multiple financial institutions to help them look for indicators of compromise and investigate whether this type of attack had occurred within their networks. Several turned out to have been victims and they relied on our forensic skills to determine just how much damage had been done in terms of stolen data, financial losses and potential reputational damage.
These types of attacks are becoming both more frequent and more severe. Cybercriminals cause real damage around the world – on critical infrastructure, healthcare systems, supply chains, finances, and more. I’m proud of the work our team does every day to stop them and prevent future attacks from happening.
What do you look for when investigating incidents and analyzing threats?
Cristina: That’s a difficult question to answer succinctly, because there is no simple check list that encompasses everything we look at. We approach every incident as unique, examining not only indicators of compromise and modus operandi, but also taking into consideration the unique qualities of the organization to understand why they might have been targeted and by whom. We analyze their vulnerabilities and risks, look at the forensic clues that have been left by the attackers, and much more in order to piece together the full picture of what happened.
Most importantly, cybersecurity investigations require a lot of training and first-hand experience in the field, to learn how to recognize the subtle details that make a difference in investigations. Every member of our team undergoes extensive training so we can ensure we provide our clients the right answer – and the whole answer – at the end of every investigation.
What does cybersecurity resilience mean to you, and how can organizations achieve it?
Cristina: We’re seeing a growing convergence of crimeware and targeted attacks. With the rise of nation-state-sponsored criminal gangs producing ransomware-as-a-service tools that others use, it’s becoming more difficult to tell crimeware and targeted attacks apart. These trends are also converging with a rise in attacks on supply chains and critical infrastructure. When successful, these attacks can cause tremendous damage, much like we saw in the Colonial Pipeline and Solar Winds attacks.
To become more cyber resilient, organizations must take every possible step to strengthen their security posture and better protect themselves. I recommend they work with third-party experts such as managed detection and response (MDR) providers, pen-testers, and others to assess their current posture, their needs, their vulnerabilities and risk, and determine next steps for shoring up their defenses. Of course, prevention is key, and every organization should aim to prevent breaches from happening in the first place – but sometimes breaches will happen despite your best efforts. In this case, organizations need to make sure they have a thorough response plan in place. Time is of the essence after a breach, and you can minimize damages if you know how to respond quickly when an attack does happen. Having not only strong prevention and detection processes in place, but also a detailed response and remediation plan are both key to cybersecurity resiliency.
October is Cybersecurity Awareness Month. What do you want people to take away from this month?
Cristina: First: change your passwords and make them stronger! We’ve all heard that advice, but it remains true. Weak credentials and credential re-use are still some of the biggest problems out there.
Second: Educate yourself on cybersecurity trends and how to protect yourself and your sensitive data from current threats. We now live in an age where all of our most important assets are digitized – which means we’re all able to be victims of an attack. The more people can learn about cybersecurity best practices in their personal and professional lives, the better the next generation will be at protecting their data and their information on the internet.
This is the fourth installment in our ongoing series about the cybersecurity heroes who power Bitdefender’s research, services and technology solutions.