Adversaries are accelerating targeted access to critical networks three times faster than before, according to CrowdStrike's recently released annual report.
The report, titled ‘Nowhere To Hide, 2021 Threat Hunting Report: Insights from the CrowdStrike Falcon OverWatch Team' highlights an explosion in adversary activity, both in volume and velocity.
The report shows that CrowdStrike's threat hunters tracked a 60% increase in attempted intrusions spanning all industry verticals and geographic regions.
It also showcases a significant drop in average breakout time - that is, the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network - of just one hour 32 minutes, a threefold decrease from 2020.
CrowdStrike states that these statistics show that threat actors are constantly adapting tactics, techniques, and procedures (TTPs) to accelerate their march toward their objectives.
Additional significant OverWatch observations include the following:
Adversaries have moved beyond malware: They are using increasingly sophisticated and stealthy techniques tailor-made to evade detections of all of the detections indexed by CrowdStrike Threat Graph in the past three months, 68% were malware-free.
China, North Korea and Iran were the most active state-sponsored groups: The report reveals the majority of targeted intrusion activity from adversary groups were based out of China, North Korea, and Iran.
There was a surge in interactive intrusion activity: Significantly targeting the telecommunications industry, this activity spans all major geographic regions and has been tied to a diverse range of adversaries, CrowdStrike states.
WIZARD SPIDER was the most prolific cyber criminal: In fact, this group was seen in nearly double the number of attempted intrusions than any other eCrime group.
WIZARD SPIDER is behind targeted operations using Ryuk and, more recently, Conti ransomware.
Cryptojacking continues to rise: CrowdStrike finds that there has been a 100% increase in instances of cryptojacking in interactive intrusions year-over-year, correlating with increases in cryptocurrency prices.
Access Brokers had a banner year: eCrime actors who specialise in breaching networks to sell that access to others played a growing and important role for other eCrime actors to stage their attempted intrusions.
CrowdStrike vice president of Falcom OverWatch Param Singh says, “Over the past year, businesses faced an unprecedented onslaught of sophisticated attacks on a daily basis."
Singh says, "In order to thwart modern adversaries stealthy and unabashed tactics and techniques, it's imperative that organisations incorporate both expert threat hunting and threat intelligence into their security stacks, layer machine-learning enabled endpoint detection and response (EDR) into their networks and have comprehensive visibility into endpoints to ultimately stop adversaries in their tracks.
The CrowdStrike report is comprised of threat data from Falcon OverWatch, CrowdStrike's managed threat hunting team, with contributions from CrowdStrike Intelligence and Services teams, and provides an inside look at the current threat landscape, notable adversary behaviour and tactics, and recommendations to increase cyber resiliency.
In the 2021 report, CrowdStrike's threat hunters directly identified and helped to disrupt more than 65,000 potential intrusions.