CrowdStrike has been protecting customers from cyber attacks since 2011. However, where other vendors focused on malware, CrowdStrike took a hard look at more sophisticated attacks. In its 2023 Threat Hunting Report, the company explains how easy it can be for threat actors to enter an organization. But also: “You have to realize how quickly attackers can make their move. It can be over inside seven minutes.”
For its annual study, CrowdStrike looked only at interactive intrusions – that is to say, attacks in which a cybercriminal was manually tinkering in a victim’s IT environment. On average, these hackers manage to move from an initial compromise to further infiltration of the corporate network within 79 minutes. CrowdStrike’s Falcon OverWatch team even saw one attacker accomplish this within seven minutes.
“That’s less than the time it takes to pour a cup of coffee,” said Dave van den Heuvel, Managing Director Benelux at CrowdStrike. He tells us that attacks these days are not only swift, but also mostly done with legitimate credentials. This is what is meant by “identity”: not just login credentials, as it includes the act of misleading personnel (social engineering) to get past identification and authorization steps as well. Cybercriminals usually obtain legitimate credentials on the darkweb. Another threat actor has already captured them before in such an instance. As a result, attackers can “walk in through the front door,” as Van den Heuvel puts it. If you leave that door even slightly ajar, it’s free game for malicious actors. 80 percent of all breaches use compromised identity data.
Over the past year, these identity threats appeared to be very prominent, with attackers continuously trying to quickly increase their impact beyond the initial breach.
CrowdStrike’s 2023 Threat Hunting Report shows a 583 percent (!) increase in the number of incidents in which “Kerberoasting” occurred. This technique abuses the Kerberos authentication protocol within Windows devices. This protocol issues encrypted tickets to SPNs (service principal names) to grant users access. After obtaining a ticket, a cybercriminal can use a brute-force technique to crack the encryption.
The SPNs targeted by malicious actors are linked to an Azure Active Directory account. These users often have privileged access to sensitive data. Thus, cracking a single ticket can lead to a major leak.
What’s striking is that a single criminal actor (VICE SPIDER) accounts for 27 percent of all Kerberoasting incidents. A party like this uses many other techniques to enable their attacks: password spraying, Web application attacks and lateral moves within an affected organization’s environment.
Changing landscape of threats
In its Threat Hunting Report, CrowdStrike also pays attention to several threats that use legitimate tools to run their course undetected within an organization’s network. Van den Heuvel cites SCATTERED SPIDER, which attacked prominent casinos in Las Vegas, among other well-known victims. The Falcon OverWatch team observed that one of the applications this party deployed was RustDesk, an open-source remote monitoring & management (RMM) tool. In all likelihood, malicious actors like SCATTERED SPIDER modified RustDesk and other alternatives to operate covertly remotely. “If you look at the attack surface, it’s long gone beyond malware,” Van den Heuvel argues. Organizations have yet to realise that fact. “It requires an additional piece of awareness.”
In addition, threat actors have now become better at taking advantage of cloud misconfigurations. They also abuse built-in cloud management tooling. In short, attackers are now well-versed in the cloud-based world of today. For sustained success, cybercrime must continually evolve, changing the threat landscape as a result. “What we learn today, can be old news tomorrow,” Van den Heuvel points out.
Some sectors are more affected by cybercrime than others. This year, CrowdStrike saw that technology verticals continue to be targeted the most. This has been the case for six years in a row. However, financial companies have suffered more attacks this year than telco, a shift from last year.
Still, cybersecurity is relevant to every organization. Malicious actors are deploying automated scanners to detect Internet-exposed vulnerabilities, allowing them to target smaller parties as well. Also, the move to the cloud and the rise of hybrid cloud and on-prem environments are increasing the attack surface. Identity, software and cloud create very different challenges. The question is: Who is securing all of that? And how?
A united front
Given the speed and effectiveness of malicious attacks, CrowdStrike recognized that it needed to create a closer link between threat hunting and intelligence. A new defensive unit was created this year: CrowdStrike Counter Adversary Operations. This group’s main goal is to increase the price a threat actor pays for a cyber attack.
In doing so, CrowdStrike provides all kinds of organizations with the protection they need, as this information is relevant to everyone. “We work for the largest companies in the world, but also offer managed solutions for smaller parties,” Van den Heuvel reveals. With its own suite of services, the security company focuses particularly on XDR (extended detection and response). It is a very conscious strategy, according to Van den Heuvel. With a single control panel (single pane of glass), customers can use CrowdStrike’s service package. “Customers can also deploy our software themselves with their own SOC, or choose a managed service. It’s a complete offering,” says Van den Heuvel.
Those who choose CrowdStrike can easily install the service package, according to Van den Heuvel. “Nothing needs to be rebooted. We also make sure we integrate with our partners, such as network security providers and e-mail protection.”
He does stress that you always need to train people, even just to comply with basic skills across the organization. So that includes adherence to zero-trust principles to minimize data exposure in the event of a hack. Least-privilege access is important to grant users access only where necessary.
Falcon OverWatch’s results don’t lie. In one year, the team identified a potential intrusion every seven minutes on average. Those who purchase CrowdStrike Falcon Intelligence receive continuous insights about these incidents to ensure better cyber resilience. It is even possible to personally acquire the services of an intelligence analyst dedicated to protecting one’s specific organization.
The work of CrowdStrike researchers thus leads to new revelations and the ability to take preventive action against new threats. As the example of Kerberoasting shows, one attack vector can suddenly become a significant threat in a year, showing how the cybercrime world is constantly adapting. The only way to be protected, then, is to stay abreast of the latest cyber developments.