Key Findings: CrowdStrike 2020 Global Threat Report
Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
Malware-free on the rise and increased average breakout time
In 2019, the ratio of malware to malware-free attacks leveled out to 49% and 51% respectively. Previously in 2018, this had been 60% malware and 40% malware-free. CrowdStrike defines malware-free as attacks that do not result in a file or file fragment being written to disk, examples would be where code executes from memory or an Account Takeover attack where stolen credentials are leveraged. These attacks are typically more difficult to detect and require more sophisticated techniques such as behavioural detection and human threat hunting to identify and remediate reliably.
For the 2018 Global Threat Report, CrowdStrike began reporting on the average breakout time of attacks. This is a measure of the speed in which an attacker gains initial access to lateral movement across the targeted organisation’s network toward their goal. This is a key metric for businesses as it gives an understanding of how quickly your organisation needs to be able to detect and remediate in order to minimise potential damage.
The average breakout time has almost doubled from 2018 to 2019, at 4 hours 37 minutes to 9 hours respectively. Although it may seem as though businesses have more leeway to detect and respond, organisations should still be focussed on achieving remediation as quickly as possible. The increase in breakout time has been linked to the rise in eCrime, which tends to have longer breakout times, but this is just one part of the threat landscape and other techniques have considerably lower breakout time averages.
Technique Trends
In 2019 the top 3 execution attack technique trends were identified as;
- Masquerading – the name or location of an executable, whether legitimate or malicious, is manipulated or abused for the sake of evading defences and observation.
- Command-line Interface – attackers execute malicious code, usually paired with other techniques as part of a broader attack. An example would be using a remote access tool to run a malicious script with PowerShell on a compromised system.
- Credential Dumping – obtaining account login and password information, usually in the form of a hash or clear text password, from an operating system and software.
The masquerading technique has shown the greatest increase, with others staying constant to previous years, which CrowdStrike attributes to the uptake in the use of an exploit named EternalBlue in the wild.
Ransomware-as-a-Service
Ransomware remains a pervasive threat throughout 2019, and we have seen it across the media for various industries such as healthcare, legal and government. This was the most lucrative enterprise for eCrime adversaries, with soaring ransom demands into the millions. Many ransomware families began adopting Ransomware-as-a-Service (RaaS) and big game hunting techniques (BGH), with developers of RaaS models receiving a share of profits that their affiliates collect from successful ransomware infections.
One specific example identified by CrowdStrike’s report from early April 2019, saw a BGH intrusion against a large network. During this attack attempt, the adversary deployed ransomware known as Dharma, which fortunately was successfully blocked by CrowdStrike’s Falcon platform. What CrowdStrike was able to determine though is that this piece of ransomware is highly configurable and operates on an affiliate-based system. The threat actors are able to gain access to the systems by exploiting vulnerable machines, or brute-force passwords for machines with weak or predictable credentials.
Some of the recommendations InfoTrust would suggest to businesses to mitigate this kind of threat include;
- Enable Multi-Factor Authentication – for all external remote access points, external applications, and sensitive internal applications to mitigate the threat of illegitimate access via leaked credentials or weak passwords.
- Review remote access points – ensure logging is enabled and retained, and that access is monitored and restricted to only necessary resources.
- Vulnerability management – ensure regular scans for vulnerabilities are conducted, and available patches are completed efficiently.
- Incident response planning – ensure you have a robust incident response plan in place to remediate any potential threats, and importantly make sure the plan is practised at least once a year.
eCrime Trends
Of all eCrime attacks, ransomware accounted for 26% of these in 2019. Other prevalent attacks included; banking trojans, spambots, Business Email Compromise, and malware-as-a-service developers.
One technique identified that was particularly interesting and innovative was email thread hijacking. Attackers run Emotet spam campaigns to harvest a user’s email content. After the victim’s email content has been stolen, the exploit identifies email threads by subject lines and formulates a reply to a thread. This technique increases the likelihood of the victim clicking on a link or opening an attachment because the sender appears to be someone they’ve previously communicated with or know in real life. It is likely this kind of tactic is used to support ransomware campaigns.
It’s predicted that in 2020 eCrime gangs will continue to target financial institutions and other companies, but increasing their campaigns outside of Europe and the United States.
Top threats due to continue
It will be of no surprise to most that ransomware, credential exploitation, and social engineering will continue to be the top threats in 2020. With each technique, adversaries are becoming more sophisticated and pivoting quickly in order to remain effective and ahead of the curve.
- Ransomware – after a resurgence of ransomware attacks in 2019, there are no indications that its prevalence will decrease in 2020. CrowdStrike and InfoTrust recommend that it is not enough for businesses to “turn on” security controls, ensuring the correct configuration and deployment across your organisation’s network is key and can often be forgotten about. Review your existing controls and ensure they are still meeting your organisation’s security needs.
- Credentials – weak passwords and stolen credentials will continue to be a threat to businesses. But as more businesses enable multi-factor authentication attackers will pivot to target mobile devices more, creating malware designed to intercept tokens and authorisation messages. Multi-factor authentication as a baseline should be deployed for all your business-critical software and services as this increases the difficulty for attackers to access your network. However, it is also recommended that businesses begin to consider security for their workforce’s mobile devices if they have not already begun to do so.
- Social Engineering – the scourge of business email compromise attacks continues for security professionals into 2020. The ease in which the attacks can be deployed at relatively low cost, means they will continue to be an effective tactic for cybercriminals. In this instance, people are still very much your last line of defence, and businesses should be reviewing their security awareness programs every 6 – 12 months to ensure the latest threats and attack techniques are being covered.
InfoTrust and CrowdStrike
InfoTrust is excited to announce that we have partnered with CrowdStrike to provide a free 15 day free trial of the Falcon Prevent solution, CrowdStrike’s Next Generation Anti-Virus. This free trial provides visibility into the threats and detections your legacy endpoint protection may be missing and provides actionable threat intelligence from CrowdStrike that can be utilised to protect your endpoints from real threats that currently exist in the wild.
To find out more click here.
To access the full 2020 Global Threat Report click here.
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
There are images of extensive, verbose documents, complex definitions, and eye-watering Excel sheets when the term GRC is mentioned. For the past two decades, GRC has been central to core business processes across many organisations at both ends of the enterprise spectrum, as well as in the small-to-medium business space in recent times.
But the world has moved on; organisations are forced to embrace digital disruption and agility if they haven’t done so whole-heartedly. And this very disruption is positioning GRC to become less-than-ideal to solve the challenges that said disruption brings with it.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Article updated 27th June 2022
Secure Access Service Edge, better known as SASE (pronounced sassy – yes that is right) was one of the new security terms on the block in 2019. But it’s actually been around for some time, just without its official moniker. It is expected that by 2024, at least 40% of enterprises will have strategies in place to adopt SASE, according to Gartner.
In this post, we take a look at why its popularity is increasing, what the term means, and how vendors and organisations are utilising it to enable digital transformation.
We're Here To Help