Crowdstrike Interview: Security Teams Need to Understand Business Goals

Security and business goals are a Venn diagram that can massively overlap — or fall apart if company communication is not easily translatable.

Cybersecurity expert Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike, says it’s critical that security teams understand the business questions the C-suite is asking.

Typically, information security is confined to the technical employees tasked with implementing, rolling out, and monitoring security solutions for cyber threats, Meyers says.

The problem is that many of them don’t necessarily understand the business plan and that misalignment can affect the organization’s ability to operate.

Techopedia sits down with Meyers to discuss the importance of cyber threat intelligence in cybersecurity, the methods cybercriminals use to infiltrate organizations, and why it’s critical to keep the C-suite apprised of security risks and issues.

About Adam Meyers

As CrowdStrike’s senior vice president of counter-adversary operations, Adam Meyers leads the company’s threat intelligence line of business. Meyers directs a geographically dispersed team of cyber threat experts who track criminal, state-sponsored, and nationalist cyber adversary groups worldwide and produce actionable intelligence to protect customers.

He oversees the development and deployment of AI, machine learning, reverse engineering, natural language processing, and other technologies to detect suspicious and malicious cyber behavior and stop increasingly sophisticated adversaries. Meyers’ work combining human intelligence with technology-derived intelligence continues to transform cybersecurity.

Importance of Keeping C-Level Executives Informed

Q: Why is it critical for security teams to keep C-level executives and board members apprised of security and risk issues? What is the best way to present cyber threat intelligence to them?

A: It is increasingly important. Some of the SEC rulings and laws have changed regarding disclosure, which means that the board and the C-suite need to be involved immediately.

[C-level executives] need to be able to make informed communications and decisions that will impact not only how they respond to an incident or issue but also ensure that they’re doing so in a way that makes sense and can mitigate damage.

This is critical, and where we’ve been involved with boards and executives has really been around quarterly briefings, getting in front of them, and making them aware of the importance of identity, having identity controls, and how threat actors have changed their behaviors. The boards and the executives don’t follow this stuff very closely.

So, they need to be brought into the loop about how things are changing, what they need to consider from an investment perspective, and how to ensure that their organizations are prepared for success.

Mine is Not to Reason Why…

Q: Why do security teams need to better understand the business questions the C-suite is asking so they can better protect the organization?

A: That is a really important point.

Historically, information security has been relegated to the technical folks who implement and roll out solutions and then monitor for cyber threats in many organizations.

 

But the reality is that a lot of those folks don’t necessarily understand the business, what the business values are, and what’s important in the business.

So, what we’ve been working on at CrowdStrike for many years has been building that alignment to help the information security and technology teams understand the business and what’s important to the business.

And then conversely, helping the business leaders understand how information security can impact their ability to operate.

Role of Cyber Threat Intelligence in Cybersecurity

Q: What role does cyber threat intelligence play in an effective cybersecurity strategy??

A: Threat intelligence helps an organization understand what threat actors are out there that would potentially target their verticals.

You can’t defend against every threat all the time, so intelligence really gives you the ability to prioritize your defenses and investments to ensure that you’re making the right choices regarding the mitigating controls and technologies to stop those threats.

Cyber threat intelligence also helps you understand how those threat actors operate so that you can really engage in threat hunting. The speed of these threat actors has increased every single year.

For example, in 2022, the average time it took a threat actor to gain access, move laterally, and escalate privilege was 84 minutes. In 2023, it was 62 minutes. So,in the last year, adversaries got 22 minutes faster.

So organizations cannot just sit and wait to detect something; they have to engage in threat hunting. They have to go out there and patrol the enterprise and look for anomalies. Intelligence helps you understand what you need to do and what you need to be looking for. These things go hand in hand.

Q: What are the prerequisites to implementing a successful threat intelligence program?

A: One is going to be having visibility. If you don’t have visibility into your enterprise, having good intelligence is going to be minimized because you’re not able to do anything with it.

So making sure you have good visibility through the right technology, things like endpoint detection and response (EDR), identity protection, cloud security, all of that’s critical.

The second thing I would say is that not only do you have to have visibility into the enterprise, you also need to have cross-domain visibility.

You need to be able to see what’s happening in the identity stack, as identity is probably one of the most important things you need to be paying attention to right now.

If your threat hunting team and your information security team don’t have visibility into identities and how they’re working inside of an environment, what they’re connecting to, what they’re touching, that’s going to limit their ability to effectively hunt across that data and find bad stuff.

As you consider what you need to defend your organization effectively and have enterprise visibility, you also need visibility into the identity stack in the cloud to effectively stop these threats.

Organizations also need to be doing tabletop exercises on a regular basis [to determine the threat actors that target them and what actions to take in the event of a cyber incident]. You play like you practice, and if you don’t practice, you’re going to fall on your face. And that’s really not a good spot to be in during a cyber incident.

How Cybercriminals Operate

Q: What methods do cybercriminals use to exploit third-party relationships?

A: At the most basic level is supply chain attacks [where cybercriminals] implant malicious code, backdoors, or other things into accepted software channels, whether they’re closed source channels or open source channels.

Cybercriminals are also exploiting the trusted relationships between upstream and downstream vendors, meaning if you are using a managed service, threat actors understand that they can target those managed services, and then go after their customers.

We’re also seeing the exploitation of trusted relationships as threat actors go after the individuals who are working at companies.

Q: Last year, nation-state actors and hacktivists experimented with generative AI to democratize attacks and lower the barrier to entry for more sophisticated operations. Will this use of GenAI continue this year and beyond?

A: Absolutely. We’re seeing new generative AI models getting released, such as OpenAI releasing ChatGPT-4o. So we’re seeing GenAI creep into all walks of life, into everything that we do. And the threat actors have picked up on this. We’ve seen indications where groups like Scattered Spider have used GenAI to automate script development to interact with Microsoft Entra IDs. We’ve seen threat actors using it to educate themselves and to learn more about a particular technology or particular target.

Q: Are threat actors moving away from malware and malicious attachments and toward more subtle and effective methods of cyberattacks, such as credential phishing, password spraying, and social engineering? If so, why?

A: Absolutely. It’s because enterprise technology, such as an endpoint detection and response system, has made it much more difficult to bring malicious tooling into the enterprise.

When you show up with malware, it shows up much, much more visibly on an EDR. So the threat actors need a better way, a better place to conduct their activities without getting detected.

The way that they’re doing this is coming in through compromised identities, which could be usernames and passwords that they’ve stolen, or brute forced, or sprayed. It could be API credentials, it could be things that were posted by a developer to Git-Repo or something like that, that has credentials in it.

We’re seeing that identity is the number one way the threat actors are getting into these environments. Once they get into those environments using those compromised identities and coming in as legitimate users, they are going to unmanaged devices. They’re looking for places where they can’t be found or viewed. And then they’re staying under the radar to conduct their operations.

So in the case of something like ransomware, they’ll come in through a compromised identity. They’ll use legitimate tools like Microsoft Edge or something like that to poke around identity documentation infrastructure that they might go after, such as a hypervisor.

And then they deploy the ransomware to the hypervisor, which doesn’t support modern security tools. So there’s no hope to catch it. And from there, they’re able to encrypt thousands of servers and bring an organization to its knees.