In December 2020, CrowdStrike has released its annual Cyber Front Lines Report, bringing together insights and observations from a dedicated team of cyber security professionals from organisations large and small in over 34 countries.
In the unprecedented year of 2020, where a global pandemic rapidly changed the way we live and work, the task of cyber security has become ever more complicated. The report’s unique front-line view gives a greater insight into what cyber security experts deal with daily. By looking at the report, not only can we learn how our adversaries have adapted, but we can take advantage of recommendations and pragmatic steps to improve the cyber security posture of our organisations.
WHAT ARE THE KEY FINDINGS?
The trends from CrowdStrike Services report was derived from data points and insights collected from a wide variety of incidents over the past 12 months. Some of the key findings from the report include:
- Attacks are more financially motivated – 63% of CrowdStrike Services cases over the past year were financially motivated, and 81% of those financially-motivated attacks involved the deployment of ransomware or a precursor to ransomware activities.
- Data-leak extortion tactics are more common – in previous years eCrime adversaries seldom exfiltrated data, however in 2020 a widespread adoption of ransomware using data-leak extortion was observed.
- eCrime adversaries are collaborating – CrowdStrike has observed formal collaboration between eCrime adversaries as well as new tactics being used and spread among different eCrime actors.
- Antivirus solutions are often insufficient – of the incidents CrowdStrike responded to in 2020, 40% saw antivirus solutions fail to provide protection with malware being undetected or part of the attack sequence being missed.
- Dwell time remains high – while the average time an adversary has access to a compromised system before detection is down from 95 days in 2019, it remains high at 79 days.
- Intrusions are rarely a one-off event – of the organisations that experienced an intrusion and called upon CrowdStrike to manage their ongoing endpoint protection and remediation efforts, 68% experienced another intrusion attempt within 12 months.
- Threat actors target neglected infrastructure – a vulnerability was observed in infrastructure slated for retirement due to it no longer receiving security configuration updates and regular maintenance. However, it still contained critical business data and systems.
- Public-facing applications allow access – public-facing applications were used in 30% of investigated cases to gain initial access to an environment as adversaries capitalised on new vulnerabilities.
- State-sponsored adversaries target organisations big and small – CrowdStrike saw organisations ranging from 500 to 50,000+ endpoints across ten industries targeted, with attacks often compromising cloud infrastructure, being more sophisticated and leaving smaller footprints.
RECOMMENDATIONS FROM THE REPORT
As well as delivering key findings and statistics, CrowdStrike’s report offers some recommendations to help organisations mitigate the risks of today’s sophisticated attacks. Some of the key recommendations include:
- Adopting next-generation antivirus solutions – these solutions leverage the cloud for scalability and use modern techniques to identify advanced threats. Moreover, organisations need to ensure any solution provides comprehensive coverage and is properly configured.
- Shifting tactics from response to continuous monitoring – organisations should examine their response times and look for opportunities to lower these metrics.
- Performing the fundamentals of cyber security – in a work-from-anywhere landscape, security teams must remain vigilant, and all information security employees should understand their roles and be ready to perform them.
- Focusing on effective identity and device-based access controls – when migrating to cloud-centric architectures, organisations should begin to steer access controls towards a posture of Zero Trust.
- Building a bulletproof backup strategy – to avoid not having adequate backups or allowing backups to become encrypted during a ransomware attack, organisations should work on strengthening their backup strategy.
- Protecting internet-facing applications – best practices such as multi-factor authentication, ensuring applications and operating systems are up to date and installing all vendor-release patches are vital.
- Adopting cloud-focused assessment strategies – using traditional methods to assess an organisation’s security posture is insufficient in a cloud environment. Cloud security assessments can help to identify gaps.
- Focusing on the post-incident period – cyber security shouldn’t just be about preparation; it should also be about applying lessons learned. By focusing attention more holistically, organisations can drive change.
- Ensuring continuous monitoring and response – by planning for real-time, continuous monitoring and response, rather than reactive emergency intrusion response, investigation and remediation time can reduce drastically.
HOW TO IMPROVE YOUR ORGANISATION’S DEFENCE
Remote working has redefined the playing field this year, providing a wealth of new attack surfaces for our adversaries to exploit. Holistic coordination and continued vigilance are more important than ever if your organisation is to detect and stop sophisticated instructions. However, by heeding the observations and recommendations in CrowdStrike’s report, you have an opportunity to make significant improvements in your organisation’s ability to defend against the most common types of cyberattacks.