CrowdStrike’s Latest Global Threat Report Reveals Cyber Trends and Predictions
The volume, intensity and sophistication of cyberattacks has hit new highs and cyber adversaries can launch massive, destructive attacks rendering organizations inoperable for days or weeks. So, what makes these attacks so effective? They are essentially immune to the traditional endpoint defense technologies that most organizations have relied on for the past 20 or more years. Recent attacks have leveraged “military-grade” exploits and cyber tools made available to hackers and criminals through a “trickle-down” effect where government-sponsored technology is passed along to the masses and ultimately into the wrong hands.
In its latest Global Threat Report, CrowdStrike analyzes the evolving threat landscape and gives recommendations to help organizations better prepare for today’s security challenges. The report, 2018 CrowdStrike Global Threat Report: Blurring the Lines Between Statecraft and Tradecraft, details observed trends over 2017 in targeted intrusions, criminal activity and hacktivist activity, as well as predictions for 2018.
The Report categorizes notable adversaries according to their nation-state affiliations or motivations (e.g., eCrime or hacktivist).
From Sophisticated Nation-State Actors to Opportunistic Criminals
CrowdStrike observes that there is a fundamental shift and leveling of the playing field between highly skilled (and typically well-funded) nation-state adversaries and their less sophisticated criminal and hacktivist counterparts. It is also becoming harder to distinguish between state-sponsored actors and cybercriminals as nation-state adversaries adopt eCrime tactics, techniques and procedures (TTPs) such as ransomware, and criminal groups perpetrate more sophisticated targeted intrusion-type attacks.
The fast adoption of leaked state-sponsored cyber TTPs by cyber criminals and hacktivists for targeted intrusions and criminal campaigns is one of the most prominent and alarming trends observed by CrowdStrike in its Global Threat Report. Prime examples of hacking tools being rapidly incorporated into targeted intrusion and criminal campaigns include WannaCry and NotPetya where stolen cyber espionage tools, EternalBlue and DoublePulsar, were leaked by the Shadow Brokers – a hacker group who have published several leaks containing hacking tools from the National Security Agency, including several zero-day exploits.
Data as a Weapon
Throughout 2017, stolen and vulnerable data proved to be valuable weapons. Adversaries across all geographic region, of varying affiliations and motivations, impacted organizations worldwide through data extortion, data ransom and outright theft in 2017. Extortion and weaponization of data have become mainstream among cybercriminals, heavily impacting government and healthcare, among other sectors. Nation-state-linked attacks and targeted ransomware are on the rise and could be used for geopolitical and even military exploitation purposes.
Exploits are continuing to proliferate with threat actors using commodity tools such as penetration-testing software and poisoned update packages to breach networks. Defending against these “government-grade” cyber attacks requires enlisting a host of new security technologies and approaches that go beyond the simple signature-based prevention of the past.
Malware Undetected By Antivirus Software
There was an increase in malware based over malware-free attacks last year. Alarmingly, 39 percent of all attacks that CrowdStrike observed constituted malware-free intrusions that were not detected by traditional antivirus, with the manufacturing, professional services and pharmaceutical industries facing the most malware-free attacks. This highlights the need for next-generation endpoint protection as organizations relying on legacy solutions are left openly vulnerable to these threats.
Reduced Average Breakout Time
Based on incidents investigated by CrowdStrike in 2017, the average “breakout time” in 2017 was 1 hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system (beachhead) they had compromised and move laterally to other machines within the network. This short window to act doesn’t leave much room for error when you’re protecting sensitive data. Defenders have to detect the initial intrusion, investigate it and eject the attacker from the network before they bury themselves deeper and steal or destroy sensitive data, which can make remediation much more complex.
Government, Healthcare and Financial Still Top Targets
The government, healthcare and financial organizations continued to top the list as targets for eCrime and targeted intrusion actors. In addition, the hospitality sector emerged in 2017 as a growing target for financially motivated criminals, as well as State-affiliated adversaries. International hotel chains were particular targets for stealing identities and credit card numbers via point-of-sale transactions to potentially tracking persons of interest while they are traveling, or to enable access to these potential victims when they use electronic devices outside the confines of protected networks.
The Global Threat Report informs public and private sector organizations about the employed tactics, techniques, and procedures (TTPs) being employed by nation-state, criminal and hacktivist adversaries to help properly allocate the defenses and resources necessary to protect assets that are most at risk. Here are recommendations actions to take away from the report.
Slow Down Attackers
With very little room for error during breakout time, among some of the many methods to slow down attackers and make their attempts at lateral movement more visible include:
- limiting user account permissions
- application whitelisting
- segregating users and networks, and
- aggressively applying available patches.
Go Beyond Malware To Strengthen Defenses Against Modern Attacks
Enterprises face more than just “a malware problem” and defenders must use contextual and behavioral analysis to look for early warning signs that an attack may be underway. Early warning signs include, but are not limited to:
- code execution
- command control
- lateral movement within a network.
When delivered in real time via machine learning and artificial intelligence, contextual and behavioral analysis detects and prevents attacks that conventional defense-in-depth technologies cannot address.
Continually Assess Risk with Real-Time Visibility
To establish critical security controls companies need to:
- maintain up-to-date inventories of devices and applications on your network
- understanding what is running in the corporate network so you can identify vulnerable systems that require critical security updates and patches.
- understand the systems that user accounts can access and the permissions they possess to stop initial intrusions and lateral movement.
- take control of account privilege levels and protect unauthorized network and application access with two-factor authentication.
Add Threat Hunting to Your Security Portfolio
Passively waiting for traditional security countermeasures to detect attacks is not enough. Proactive threat hunting, led by human security experts, is a requirement for any organization looking to achieve or improve real- time threat detection and incident response.
Integrate Threat Intelligence Into Your Endpoint Security Strategy
Threat intelligence can provide a deeper understanding of the motivations and objectives of threat actors. The more information you can gather on your attackers, the better you can defend your organization. The more intelligence a security team obtains on who might be targeting the organization and how the actors operate, the more educated, aware and effective that security team becomes. Understanding whether your organization is a potential target for an adversary and knowing which exploits and strategies are commonly used in such attacks, can help you prioritize patching and eliminate vulnerabilities before the adversary can initiate an attack.
Assess Your Readiness to Protect Against Sophisticated Attacks
Evaluate the quality and effectiveness of your security program before an attack happens. Engaging in third-party security assessments will reveal organizational readiness to face both common and sophisticated attacks. In addition, participating in adversary emulation exercises, using real-world TTPs, will inform you about how to improve your incident response playbook and procedures.
CrowdStrike is the leader in cloud-delivered endpoint protection. The CrowdStrike Falcon platform provides comprehensive real-time visibility into threat actors and data from its global customer community. Its cloud infrastructure and single-agent architecture eliminate complexity and add scalability, manageability, and speed.
Learn more about how CrowdStrike Falcon can stop breaches and improve your overall security posture. Contact AGT today to find out how CrowdStrike fits in with your current suite of security tools.
Read the full report.