Adapting to the Threat Landscape in Southeast Asia
This article examines potential cyber threats in Southeast Asia and explores how MDR can provide 24/7 protection against attackers
The Evolution of the Threat Landscape
According to a report published by the International Cybersecurity Dialogue (ICD) in October 2022, Southeast Asia faces a significant increase in cyber threats, mainly due to the rapid digitalization and adoption of emerging technologies such as cloud computing.
The report highlights that cybercriminals in the region are using advanced techniques such as ransomware, phishing, and distributed denial-of-service (DDoS) attacks to target individuals, businesses, and government organizations. The COVID-19 pandemic has also contributed to the rise of cyber threats as more people work remotely, increasing vulnerabilities and attack surfaces.
A report by IBM X-force Threat intelligence index 2023 highlights that Asia pacific was the most attacked region in 2022, and the Philippines was the second most attacked country in APAC.
Top Three Targets: Manufacturing, Finance and Insurance
The report notes that manufacturing tops the list of attacked industries in this region with 48% of cases, with finance and insurance a distant second at 18%. Spear phishing by attachment was the top infection vector at 40% across this region, followed by exploiting public-facing applications at 22%. Cases of external remote services and spear phishing links tied for third place at 12%. Deployments of backdoors were the most common action on objective in 31% of cases in the region. Ransomware placed second at 13%, and malware documents third at 10%.
Significant Reduction in Breakout Time
Another interesting finding in various reports is the significant decrease in average breakout time. An IBM Security X-Force study revealed a 94% reduction in the average time for the deployment of ransomware attacks. What took attackers over two months in 2019 took just under four days in 2021. In addition, CrowdStrike reported that the average breakout time for interactive eCrime intrusion activity declined from 98 minutes in 2021 to 84 minutes in 2022. Microsoft also noted in their Digital defense report 2022 that the median time for attackers to gain access to a phishing victim’s sensitive data is about 62 minutes, and only 108 minutes to start lateral movement inside the target’s infrastructure.
The Rise of Malware-free Tactics
Taking a closer look at Tools Tactics and Procedures (TTPs) associated with recent breaches, an interesting trend highlighted by CrowdStrike emerges: The rise of malware-free tactics and cloud-conscious TTPs.
“CrowdStrike intelligence saw actors shift away from the deactivation of antivirus and firewall technologies, as well as from log-tampering efforts. Instead, they were observed seeking ways to modify authentication processes and attack identities.”
Microsoft noted that credential phishing schemes are also on the rise and threaten users everywhere as attackers target all organizations indiscriminately. Microsoft also noted that the most common ransomware techniques are the use of admin tools (75%), the use of acquired elevated compromised user account to spread malicious payloads using SMB (75%), and the attempt to tamper with discovered security products using OS-built tools (99%)
The Aggravating Factor: Talent Shortage
Overall, the threat landscape in Southeast Asia is of significant concern and requires significant action. To make it worse, Southeast Asia has the greatest disparity in talent shortage compared to other regions. This has led to a significant gap in cybersecurity awareness and preparedness across the region.
So let us recap: A rising level of cyber risks, the most targeted region globally, new techniques and tactics used by attackers, lower dwell time, and lack of trained professionals.
“A global cybersecurity talent shortage means that IT leaders often have little choice but to do business with third-party service partners.” – Wrote McKinsey in their report.
Service Partners as your First Line of Defense
It is important to establish the types of partners and services that companies should prioritize seeking out. At any time, the first line of defense against cyber threats is detection and response. You can have well-defined policies and procedures, but In the event that you click on a phishing link, your only hope may be having access to online detection and response services that are staffed by qualified professionals capable of effectively managing a breach. This service is known as MDR (Managed Detection and Response.
24/7 Threat Detection and Response
Managed Detection and Response (MDR) services are a type of cybersecurity service that provides continuous monitoring, detection, and response to cyber threats. MDR services combine human expertise and advanced technology to detect and respond to real-time security incidents. They offer a turnkey experience using a predefined technology stack that commonly covers endpoint, network, logs, and cloud. Telemetry is analyzed within the provider’s platform using a range of techniques. MDR services typically include the following components:
- A provider-operated technology stack that enables and coordinates real-time threat detection, investigation, and active mitigating response. Whether the MDR provider develops this, it usually provides an integrated set of commercial technologies that use modern techniques (like APIs) to exchange data and instructions or a combination of both approaches.
- Staff that engages daily with individual customer data have skills and expertise in threat monitoring, detection, hunting, threat intelligence (TI), and incident response.
- Alarms monitoring and triage.
- Informing about incidents with the given priority
- Incident response (active or passive)
- Incident investigation
- Development of recommendations for future incident prevention
- False Positive rate reduction
- Threat hunting and retrospective analysis
- Custom detections development
- EDR platform management
- New agent deployment and onboarding
- Regular reporting
Optional services can include:
- Digital forensics and incident response
- Vulnerability and attack surface management
- Penetration testing
- Thread intelligence feed and analytics
- Purple Teaming
Three Types of MDR Architectures
In regards to the infrastructure utilized for providing MDR services, there exist three central designs for architecture. First, experts can use cloud-based infrastructure to provide MDR services. CrowdStrike Falcon or Microsoft Defender for the endpoint are good examples of SaaS products often used for such services. Second, managed services provider can use their internal infrastructure. Usually, such kind of providers uses well-known SIEM products such as IBM qRadar or Splunk as a core of their infrastructure. And the last case, external service providers can manage customer on-prem infrastructure for customers with specific needs, for example, government agencies.
From Raw Data to Enriched Alarms
Regardless of the type of MDR infrastructure architecture that is utilized, it typically operates similarly. Various telemetry from organizational infrastructure (such as Windows event logs, antivirus and firewall logs, and cloud security events) flows to MDR provider infrastructure. Inside this infrastructure, automated threat detection occurs using various methodologies such as machine learning, correlation rules, pattern mappings, threat hunting queries, and alarms are triggered.
Subsequently, proficient MDR team members will triaging this alert in order to determine whether it is a genuine attack or a false positive. In case of a lack of information to make a justified decision, the MDR team asks the customer responsible person. If the MDR team decides that the alarm is a sign of an actual attack, they begin an immediate response. This response can vary from the information of the customer’s person of contact to active actions, including account blocking, session reset, or place endpoint to quarantine. After, the investigation process takes place. The MDR team tries to determine the root cause of the breach, provide a recommendation for remediation and develop plans for future prevention.
Proactive Threat Hunting
MDR teams do threat hunting regularly, finding signs of compromise in previously stored data. They use IOC – indicators of compartmentation such as IP addresses, file hashes, or domain names.
From MDR to XDR
The events’ sources may vary from endpoint agents (in this case, such service is usually called MDR) to various sources like firewalls, network threat analysis tools, antiviruses, cloud security products, DLP, and services, used such sources, usually referred to as XDR.
MDR service proves itself valuable through 24/7 monitoring and constant online coverage on customers’ infrastructure, and any suspicious activity entails immediate response from skilled and trained professionals.
Some MDR\XDR providers offer other services, such as security assessments, information security reviews, policies, procedures development.
The Business Case for XDR
Experts design XDR services to cater to the needs of different types of customers. These customers may include organizations already invested in threat detection, investigation, and response infrastructure but need more resources or expertise to manage them effectively.
Alternatively, organizations may have yet to invest in such capabilities and require support to establish and maintain them. Finally, some organizations may have a long-term goal of owning detection and monitoring capabilities but must achieve a certain maturity level quickly. In such cases, XDR services can provide interim coverage while hiring, training, and developing requirements for their SOC operations. In any case, using trusted XDR service providers dramatically decreases efforts and times to have coverage from various cybersecurity threats.
A good XDR provider should not only forward automatically generated alarms to customers but do much internal human-driven analysis with knowledge of customers’ infrastructure and cyber threat landscape. They should provide intelligent response actions and coordinate remediation activities to reduce impact. They must have a wide understanding of various tactics and techniques attackers use to develop comprehensive detection logic.
Need Help with XDR?