The cyber security landscape is always evolving but cyber adversaries continue to be relentless and innovative in their efforts to find gaps in your organization’s security and leverage them for their own gain.
CrowdStrike research on the main objectives of hackers, how they gain initial access to a network and what techniques they use once inside reveals a lot.
The findings in the CrowdStrike Services report are based on real-world engagements by our seasoned incident response (IR) investigators who face sophisticated adversaries and the challenges they present on a daily basis.
Business disruption remains the main attack objective, followed by data theft and monetary loss.
- Dwell time increased, due to advanced adversaries employing stronger countermeasures and remaining hidden longer — but more organizations improved their attack self-identification
- Spear-phishing again topped the list of initial attack vectors. Others were web attacks, compromised credentials and supply chain compromise.
- Malware-free intrusions are becoming more prevalent.
- The most common attack techniques involved account compromise, often via “living off the land.”
- Effective mitigations include better Active Directory and operating system configuration, credential access protection, privileged account management, application isolation, sandboxing and more.
Business Disruption, Data Theft and Monetary Loss
In 36% of the incidents that CrowdStrike Services investigated in 2019, business disruption was the main attack objective. Most often, the attack involved ransomware, destructive malware or denial of service (DoS) attacks. While the main goal in a ransomware attack is usually financial gain, the resulting business disruption often outweighs the ransom amount. However, this balance may be shifting again — eCrime actors substantially increased their ransom demands over the past year.
Data theft was observed in 25% of investigated breaches — this includes theft of intellectual property (IP), personally identifiable information (PII) and personal health information (PHI). IP theft has been linked to numerous nation-state adversaries that specialize in targeted intrusion attacks, whereas PII and PHI data theft can enable both espionage and criminally motivated operations. These types of information may be used by a cyber-espionage actor to build a dossier on a high-profile target, or a cybercriminal may sell or ransom the information.
With ransomware reclassified under business disruption, monetary loss accounted for just 10% of attacks in 2019. This category includes crimeware, formjacking, cryptojacking and more. Monetary loss was the primary type of damage inflicted in government/education and retail, whereas business disruption was the primary damage in manufacturing and healthcare.
The company further observed an increase in dwell time — the time between when a compromise first occurs and when it is detected. Average dwell time grew 10 days to 95 in 2019, up from 85 in 2018.
Why? Advanced adversaries and state-sponsored threat actors are applying countermeasures that allow them to remain undetected for a protracted length of time — particularly in environments protected by legacy security technologies. These findings underscore the need to implement proactive threat hunting in order to uncover attacks early.
When breaches with dwell time greater than one year are excluded, the average drops to approximately 60 days, which represents how long eCrime actors typically spend within an environment conducting reconnaissance about the target environment before executing their attacks. But dwell time of one day can be far too long.
CrowdStrike recommended that organizations follow the “1-10-60 rule” as a best practice: one minute to detect an intrusion, 10 minutes to investigate and 60 minutes to remediate.
Organizations that meet the 1-10-60 rule can dramatically improve their chances of staying ahead of the adversary and stopping a potential breach from occurring.
One improvement noted in the report is that organizations have continued to increase their ability to self-detect and respond to breaches, without external notifications. In 2019, 79% of organizations that engaged CrowdStrike for incident response (IR) investigations were able to internally detect an intrusion, up from 75% in 2018 and 68% in 2017. The shift is due in part to C-level executives improving their understanding of cyber risk — and subsequently investing in security to help protect their organizations and customers.
As a direct result of executive support, organizations are making a greater effort to mature their security operations and are particularly focusing on detection. However, investment must cover the entire security stack — including endpoint detection and response tools (EDR), threat intelligence, proactive managed hunting and managed remediation services — if organizations are to continue improving their ability to self-detect.
Spear-phishing and Other Attacks
In 2019, the most common ways that attackers initially gained access to a network were through spear-phishing (35%), web attacks (16%), compromised credentials (16%) and supply chain compromise (6%).
In the spear-phishing cases observed, 19% used attachments in a spear-phishing email, 15% used spear-phishing with a malicious link and 1% employed spear-phishing via a service. In cases involving web attacks, 12% of the breaches involved an exploit of a public-facing application and 4% resulted from a drive-by compromise.
Third-party compromises like those observed in the software supply chain have the potential to be farther reaching than attacks originating from other vectors due to the challenges in preventing them and the damage they can inflict.
(Image Courtesy: www.disruptionhub.com)