Over the past year, businesses faced an unprecedented onslaught of sophisticated attacks on a daily basis. A new report by cloud-endpoint and workload protection firm CrowdStrike highlights an explosion in adversary activity, both in volume and velocity.
Nick Lowe, Director, Falcon OverWatch at CrowdStrike, told CXOToday, “In the past year, the OverWatch team tracked a 60% increase in interactive intrusion activity. We’ve noticed that adversaries have moved beyond malware and are using increasingly sophisticated and stealthy techniques tailor-made to evade autonomous detection.”
According to him, the report also showcased a significant drop in average breakout time – the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network – of just one hour 32 minutes, a threefold decrease from 2020. These sobering statistics show how threat actors are constantly adapting tactics, techniques, and procedures to accelerate their march toward their objectives.
The report further stated that China, North Korea and Iran were the most active state-sponsored groups, as the report reveals the majority of targeted intrusion activities from adversary groups were based out of these regions. Wizard Spider for example was found to be the most prolific cyber criminal. In fact, this group was seen in nearly double the number of attempted intrusions than any other eCrime group. This group was behind targeted operations using the notorious Ryuk and, more recently, Conti ransomware.
Almost every sector is susceptible to online breach and the speed of eCrime adversaries is increasing, as the report stated that adversaries moving laterally within a victim environment in an average of 1 hour and 32 minutes. Lowe however sees a massive surge in interactive intrusion activity targeting the telecommunications industry that accounted for 40% of all state-nexus intrusion activity in the past 12 months.
This activity spans all major geographic regions and has been tied to a diverse range of adversaries, as Lowe commented, “The story for businesses is that eCrime is not abating with the past year witnessing some of the most significant and widespread cyberattacks the world has experienced.”
The report also saw a 100% increase in instances of crypto-jacking in interactive intrusions year-over-year, correlating with increases in cryptocurrency prices. Moreover, it was also a banner year for eCrime actors who specialize in breaching networks to sell that access to others played a growing and important role for other eCrime actors to stage their attempted intrusions.
According to Lowe, eCrime accounted for 75% of interactive intrusion activity with the big game hunting business model evolving, which has seen the widespread adoption of both the use of access brokers to facilitate access, and the use of dedicated leak sites to extract payment.
Lowe recommended that to better protect themselves, businesses need to deploy full protection across all endpoints, properly configure security solutions, adopt threat hunting to be vigilant and ready to act. “Enterprises must also control the software they’re using by patching it or removing unnecessary software, protect employee credentials as well as pay close attention to remote access to ensure it’s not a route in for the bad guys,” he concluded.