CrowdStrike Threat Report Highlights Shift in Attacker TTPs

Threat actors in 2022 were able to move laterally inside company networks faster than ever, and they increasingly turned away from traditional malware attacks toward newer techniques, according to the CrowdStrike “2023 Global Threat Report.”

The time it took for attackers to begin moving laterally from the initial point of compromise to other IT systems in targeted companies decreased from 98 minutes in 2021 to 84 minutes in 2022, according to CrowdStrike, an ExtraHop technology partner.

That decrease in the average breakout time for intrusion points to the need for security teams to respond quickly to attacks, the report adds.

“By responding within the breakout time window, defenders can minimize the costs and other damages caused by attackers,” CrowdStrike says. Security teams should aim for the “1-10-60 rule,” by detecting threats within the first minute, understanding the threats within 10 minutes, and responding within 60 minutes, the cybersecurity provider advises.

One criminal group detected by CrowdStrike, called Scattered Spider, gained access to corporate IT environments through phishing campaigns, then used several tools to bypass or terminate endpoint security software.

As Attackers Change Tactics, NDR Becomes Critical

The uptick in attacks leveraging defense evasion techniques points to the need for companies to deploy a network detection and response (NDR) solution, like ExtraHop Reveal(x) 360, alongside an endpoint detection and response (EDR) platform, like CrowdStrike FalconⓇ. Attacks capable of disabling endpoint agents can’t hide from NDR sensors, which pick up on suspicious network behaviors that often signal an early-stage attack. The combination of NDR and EDR forms a more complete solution to stop attackers every step of the way.

ExtraHop and CrowdStrike, through their two-plus-year partnership, have provided significant benefits to customers by combining NDR and EDR data. ExtraHop has now announced a new capability related to CrowdStrike by enabling customers to integrate ExtraHop network meta data into Crowdstrike Falcon® LogScale, a centralized log management technology that allows organizations to make data-driven decisions about the performance, security, and resiliency of their IT environments.

Using Reveal(x) 360, ExtraHop’s NDR solution, security operations teams can now feed network data into the Falcon® LogScale platform to more quickly qualify or disqualify threats. This combination gives security analysts the ability to focus on triaging their most pressing concerns.

The integration correlates network data from ExtraHop with endpoint, log, and identity data in Falcon® LogScale to remove guesswork and provide the context analysts need to protect their organizations.

No Hiding from NDR

Meanwhile, the report sees threat actors increasingly using compromised company credentials and other malware-free attacks to target organizations. Malware-free activity accounted for 71 percent of all CrowdStrike detections in 2022, up from 62 percent in 2021 and 51 percent in 2020, the report says. The report observes a “prolific abuse” of valid credentials to gain access and persist in victim networks.

Tactics like credential abuse are difficult to detect for tools that leverage logs, which lack depth, as their primary source for network security. ExtraHop Reveal(x) 360 uses network packets as its primary data source, as packets provide greater depth and context than logs. By analyzing observed behaviors with cloud-scale machine learning, Reveal(x) 360 detects the sometimes subtle anomalous behaviors that indicate when attackers are using compromised credentials. Reveal(x) 360 then creates high-fidelity alerts—loaded with context—to enable security teams to quickly investigate and respond with confidence.

In a related development, CrowdStrike observed a 112 percent increase in advertisements from access brokers, those threat actors who acquire access to organizations and provide or sell the access to other criminals, including ransomware gangs. CrowdStrike observed more than 2,500 advertisements from access brokers across the criminal underground.

The report details attack campaigns from a number of criminal and nation-state groups. In some cases, threat actors shifted away from the deactivation of antivirus and firewall technologies, as well as from log-tampering efforts. Instead, they looked for ways to modify authentication processes and attack identities. These trends further underscore the need for NDR.

“In 2022, CrowdStrike Intelligence observed adversaries across the targeted intrusion, eCrime and hacktivist landscapes operating with relentless determination to meet their goals,” the report says. “These adversaries continued to seek novel ways to bypass security measures to conduct successful initial infections, impede analysis by researchers and refine tried-and-tested techniques.”