Key Findings: CrowdStrike 2020 Global Threat Report

Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.

Malware-free on the rise and increased average breakout time

In 2019, the ratio of malware to malware-free attacks leveled out to 49% and 51% respectively. Previously in 2018, this had been 60% malware and 40% malware-free. CrowdStrike defines malware-free as attacks that do not result in a file or file fragment being written to disk, examples would be where code executes from memory or an Account Takeover attack where stolen credentials are leveraged. These attacks are typically more difficult to detect and require more sophisticated techniques such as behavioural detection and human threat hunting to identify and remediate reliably.

For the 2018 Global Threat Report, CrowdStrike began reporting on the average breakout time of attacks. This is a measure of the speed in which an attacker gains initial access to lateral movement across the targeted organisation’s network toward their goal. This is a key metric for businesses as it gives an understanding of how quickly your organisation needs to be able to detect and remediate in order to minimise potential damage.

The average breakout time has almost doubled from 2018 to 2019, at 4 hours 37 minutes to 9 hours respectively. Although it may seem as though businesses have more leeway to detect and respond, organisations should still be focussed on achieving remediation as quickly as possible. The increase in breakout time has been linked to the rise in eCrime, which tends to have longer breakout times, but this is just one part of the threat landscape and other techniques have considerably lower breakout time averages.

Technique Trends

In 2019 the top 3 execution attack technique trends were identified as;

• Masquerading – the name or location of an executable, whether legitimate or malicious, is manipulated or abused for the sake of evading defences and observation.
   
• Command-line Interface – attackers execute malicious code, usually paired with other techniques as part of a broader attack. An example would be using a remote access tool to run a malicious script with PowerShell on a compromised system.
   
• Credential Dumping – obtaining account login and password information, usually in the form of a hash or clear text password, from an operating system and software.
   

The masquerading technique has shown the greatest increase, with others staying constant to previous years, which CrowdStrike attributes to the uptake in the use of an exploit named EternalBlue in the wild.

Ransomware-as-a-Service

Ransomware remains a pervasive threat throughout 2019, and we have seen it across the media for various industries such as healthcare, legal and government. This was the most lucrative enterprise for eCrime adversaries, with soaring ransom demands into the millions. Many ransomware families began adopting Ransomware-as-a-Service (RaaS) and big game hunting techniques (BGH), with developers of RaaS models receiving a share of profits that their affiliates collect from successful ransomware infections.

One specific example identified by CrowdStrike’s report from early April 2019, saw a BGH intrusion against a large network. During this attack attempt, the adversary deployed ransomware known as Dharma, which fortunately was successfully blocked by CrowdStrike’s Falcon platform. What CrowdStrike was able to determine though is that this piece of ransomware is highly configurable and operates on an affiliate-based system. The threat actors are able to gain access to the systems by exploiting vulnerable machines, or brute-force passwords for machines with weak or predictable credentials.

Some of the recommendations InfoTrust would suggest to businesses to mitigate this kind of threat include;

• Enable Multi-Factor Authentication – for all external remote access points, external applications, and sensitive internal applications to mitigate the threat of illegitimate access via leaked credentials or weak passwords.
   
• Review remote access points – ensure logging is enabled and retained, and that access is monitored and restricted to only necessary resources.
   
• Vulnerability management – ensure regular scans for vulnerabilities are conducted, and available patches are completed efficiently.
   
• Incident response planning – ensure you have a robust incident response plan in place to remediate any potential threats, and importantly make sure the plan is practised at least once a year.
   

eCrime Trends

Of all eCrime attacks, ransomware accounted for 26% of these in 2019. Other prevalent attacks included; banking trojans, spambots, Business Email Compromise, and malware-as-a-service developers.

One technique identified that was particularly interesting and innovative was email thread hijacking. Attackers run Emotet spam campaigns to harvest a user’s email content. After the victim’s email content has been stolen, the exploit identifies email threads by subject lines and formulates a reply to a thread. This technique increases the likelihood of the victim clicking on a link or opening an attachment because the sender appears to be someone they’ve previously communicated with or know in real life. It is likely this kind of tactic is used to support ransomware campaigns.

It’s predicted that in 2020 eCrime gangs will continue to target financial institutions and other companies, but increasing their campaigns outside of Europe and the United States.

Top threats due to continue

It will be of no surprise to most that ransomware, credential exploitation, and social engineering will continue to be the top threats in 2020. With each technique, adversaries are becoming more sophisticated and pivoting quickly in order to remain effective and ahead of the curve.

• Ransomware – after a resurgence of ransomware attacks in 2019, there are no indications that its prevalence will decrease in 2020. CrowdStrike and InfoTrust recommend that it is not enough for businesses to “turn on” security controls, ensuring the correct configuration and deployment across your organisation’s network is key and can often be forgotten about. Review your existing controls and ensure they are still meeting your organisation’s security needs.
   
• Credentials – weak passwords and stolen credentials will continue to be a threat to businesses. But as more businesses enable multi-factor authentication attackers will pivot to target mobile devices more, creating malware designed to intercept tokens and authorisation messages. Multi-factor authentication as a baseline should be deployed for all your business-critical software and services as this increases the difficulty for attackers to access your network. However, it is also recommended that businesses begin to consider security for their workforce’s mobile devices if they have not already begun to do so.
   
• Social Engineering – the scourge of business email compromise attacks continues for security professionals into 2020. The ease in which the attacks can be deployed at relatively low cost, means they will continue to be an effective tactic for cybercriminals. In this instance, people are still very much your last line of defence, and businesses should be reviewing their security awareness programs every 6 – 12 months to ensure the latest threats and attack techniques are being covered.
   

InfoTrust and CrowdStrike

InfoTrust is excited to announce that we have partnered with CrowdStrike to provide a free 15 day free trial of the Falcon Prevent solution, CrowdStrike’s Next Generation Anti-Virus. This free trial provides visibility into the threats and detections your legacy endpoint protection may be missing and provides actionable threat intelligence from CrowdStrike that can be utilised to protect your endpoints from real threats that currently exist in the wild.

To find out more click here.

To access the full 2020 Global Threat Report click here.