News Desk: Identity Management is Key to Stopping APTs

Added: 2026-05-20

[00:00:03]hi everybody and welcome back to the dark reading news desk coming to you live from black hat 2023. I'm Becky Bracken I'm an editor with dark reading and I am here to welcome Adam Myers who just got a new title so you'll excuse me he is head of counter adversary operations for crowdstrike thanks for joining us Adam I appreciate it thanks for having me all right we've got a lot to get into so uh I know you guys had a new report that came out but maybe we can do this more geographically last year everybody was very focused on apt groups in Russia what they were doing in Ukraine and sort of what how the cyber security Community could rally around the citizens there and and help them there seems to have been a pretty sizable shift in the in the ground since then can you give us an update sort of of what's happening in Russia um Now versus maybe a year ago so I think uh where you know leading up to the invasion in February of 2022 there was a lot of concern about a not petia style event where there would potentially be cyber spillover uh an unconstrained self-propagating ransomware type of disruptive attack and so you know leading into that whole Invasion I think people were really concerned about how that would impact organizations in the west because remember not pettia did like 10 billion dollars in Damages according to I think it was the White House said that so um you know well-founded concern going into that and I think what we saw as that started to unfold that there was some disruptive attacks but it was generally constrained with inside of Ukraine um after the conflict kind of started really not going the right direction for the Russians you started to see that they went back to more Intel collection and there was plenty of disruptive wiper type attacks but I think the thing that was most significant is that while everybody was focused on what was going on inside of Ukraine and what the Russian various Russian threat actor groups were doing China was prolifically getting into every single geographic region every business vertical and actively collecting on everything from intellectual property trade negotiations High High-Speed Rail projects Port projects like pretty much everything going on and builds a massive collection effort around that were they using the Russian Invasion as cover while everybody was sort of looking over here were they doing that or was this happening sort of well before that that's a good question I think it worked out that it provided that kind of cover because everybody was so focused on what was happening in Russia and Ukraine and so it distracted from the kind of steady drumbeat of everybody calling out China for doing things that they were doing Russia's motivations what um are Chinese apt groups what are their motivations what are they trying to do so it's a massive collection platform and they are working to you know China has a number of different major programs they have things like the 14 Five-Year Plan they have the made in China 2025 initiative they have the Belton Road initiative and so they've built all of these different programs in order to grow the economy to develop the economy in China some of the major things that they've targeted are around things like health care it's the first time that the Chinese are dealing with an increasing middle class and so preventative health care issues heart stents diabetes cancer treatments all of that and they recognize that they're sourcing a lot of that from the West they don't want to do that they want to build it there they want to have domestic equivalent products so they could service their own market and then grow that into the surrounding area the the broader Asia Pacific region and then even up into your Asia and through doing that they build additional influence they build these ties to these countries where they could start to push Chinese products and Chinese Solutions and Chinese programs and projects into those countries so that when push comes to shove on an issue like Taiwan or something that they don't like at the United Nations they could say hey you should really vote this way we would appreciate it it's really an intelligence and and intellectual property game for them 100 and so what what are we sort of going to see in the next few years are they going to operationalize this intelligence is it already a new you know feeding sort of the intellectual class but beyond that what are their goals it's happening right now right and you look at what they've been doing with AI look at what they've been doing with health care and various ship manufacturing right they they Source most of their ships externally they don't want to do that right they they I think they think that people see them as the world's workshop and they really want to become an innovator and the way that they're working to do that is by leapfrogging they steal through cyber operations cyber Espionage what is currently state of the art and then they try to replicate and innovate on top of that interesting well okay so um moving from China now we go over to North Korea and they are in the business their apt groups are money makers right that's what they're looking to do partially yeah so there's kind of three pieces of it one they certainly service The Diplomatic military and political intelligence collection process two they also do into intellectual property theft they launched a program called the National Economic Development strategy or Ned's and um with that there's kind of six core areas that they focus on things like energy and Mining agriculture heavy machinery all the all things that are associated with the North Korean economy they need to raise the cost like the level of what they're doing and and raise the lifestyle of the average North Korean citizen 33 or something like that of the country doesn't is all the 30 only has access to Reliable power right so things like renewable energy and ways to kind of get energy to other places are important so they do intellectual property theft to kind of do that as well and then Revenue generation they got cut off from the international Swift system and International Financial economies and so now they have to find ways to generate Revenue they have something called the third floor the third office which generates revenue for the regime and also for the the Kim family and so they do a lot of things things that are like drugs fentanyl creation and and MDMA and things like that they do human trafficking and they also do cyber crime and so they've been very effective at targeting traditional financials as well as cryptocurrency and kind of fintech type companies and we've seen that uh one of the things in our report that just came out yesterday shows that the second most targeted vertical last year was financials which replaced telecoms the year before so it's it's making an impact and is that being that's being driven by the North Korean in part yeah interesting are they successful yeah they're making tons of money yeah billions okay let's pivot which I guess is sort of the other major pillar of Apt action what's going on there so we've seen a lot of what we call Lock and leak operations they kind of created in many cases these fake personas to Target their enemies to go after Israel and the United States and kind of Western countries and they create these fake personas that will claim to have hack in they deploy ransomware it's not really ransomware because they don't care about collecting the money necessarily they just want to cause that disruption and then they leak sensitive information all of this meant to delegitimize and to you know make people kind of lose Faith or or uh belief in the political organizations or the companies that they're targeting so it's really a disruptive campaign masquerading as Ukraine it must be so tricky to try to assign motivation but behind a lot of these attacks attack how do you know that it's just a front for disruption and not you know a money-making operation that's a great question but it's actually not that difficult because if you look at what actually happens right what transpires if they're criminal and they're financially motivated they're going to take payment that's their primary objective right if they don't really seem to care about making the money not patsya being an example uh and also you know the Iranian activity then you know it's pretty obvious to us we look at the targeting we look at the infrastructure and the tooling that they use and then we look at the the motive itself and it's generally pretty clear among apt groups what are some of the like attacks du jour what are they really relying on right now so we've seen a lot of Apt groups going after network type appliances there's been a lot of vulnerabilities that have been exposed in various Cloud systems and and network appliances things that don't typically have modern endpoint security stacks on them and it's not just apt groups we see this tremendously with ransomware groups which have been thwarted by things like EDR technology which have made it difficult for them to get in and bring tooling with them so they 80 percent of the attacks are using legitimate credentials to get in they live off the land they move laterally from there and then if they can in many cases they're going after the hypervisors in order to try to deploy ransomware to a hypervisor that doesn't support an EDR tool and then they can whack all of the servers that are running on that hypervisor and put the organization out of business unfortunately we're out of time I would really like to discuss for a much luckily what is your prediction do you have a do you have a Karnak the great moment for us where we can what are we going to be looking at in the EPT space do you think 12 months from now yeah the APT space has been pretty consistent I think we'll see them continue to evolve the vulnerability landscape is really interesting there if you look at China for example effectively any vulnerability research has to go through the cnit sect which is subordinate to the ministry of State security it would be like if a security researcher here couldn't send that vulnerability to Microsoft 1200 vulnerabilities last year right uh and so if it had to send it to sisa but sisa was supported into this you know the CIA or the NSA so it and we see those vulnerabilities manifesting all the time now so it's it's changed that whole landscape so I think APC groups continue to do that they're focused on intelligence collection they're they're they're that's their primary motive in some cases there's disruption as well um and then you know the I think the prediction the thing everybody needs to be thinking about is that because of the identity threats that we're seeing 80 of these breaches involve identity it takes uh we we compute something called the breakout time how long does it take for an actor to move from an initial foothold into the environment to another system we shaved off or they shaved off another five minutes this year so we're at 79 minutes the fastest one we saw was seven minutes so these actors are moving faster and the biggest takeaway I think is that organizations really need to be investing in identity protection because that is kind of you know we've hardened the Enterprise we've made it difficult for them to operate because of things like er so they took the easier way right now they're using legitimate credentials they're coming in as a legitimate user and in order to defend against that you need to be protecting the identity not just the Enterprise thank you so much Adam I so appreciate you stopping by the news desk to share your insights and your smarts with us we really appreciate it well thanks for having me it's always fun