Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Organizations are falling behind cyberattackers’ quickening pace of abandoning malware for stolen privileged access credentials and ‘living off the land‘ intrusion techniques. CrowdStrikes’ latest Falcon OverWatch threat hunting report found a solid shift in attack strategy to the malware-free intrusion activity that accounts for 71% of all detections indexed by CrowdStrike Threat Graph.
The report provides a sobering glimpse into how complex and quick adversaries’ attack strategies adapt to avoid detection.
“A key finding from the report was that upwards of 60% of interactive intrusions observed by OverWatch involved the use of valid credentials, which continue to be abused by adversaries to facilitate initial access and lateral movement,” said Param Singh, vice president, Falcon OverWatch at CrowdStrike.
Cyberattackers are becoming prolific in abusing privileged access credentials and their associated identities laterally moving across networks. Cybercrime accounted for 43% of interactive intrusions, while state-nexus actors accounted for 18% of activity. Heavy cybercrime activity indicates financial motives dominate intrusion attempts.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
Cyberattackers continue to out-automate enterprises
CrowdStrike found that cyberattackers are concentrating on techniques that avoid detection and scale fast. Cyberattackers are out-automating enterprises with undetectable intrusion techniques. CrowdStrike’s research found a record 50% year-over-year increase in hands-on intrusion attempts and more than 77,000 potential intrusions. Human threat hunters uncovered adversaries actively carrying out malicious techniques across the attack chain, despite cyberattackers’ best efforts to evade autonomous detection methods.
It takes just one hour and 24 minutes to move from the initial point of compromise to other systems. That’s down from one hour and 38 minutes originally reported by Falcon OverWatch in the 2022 CrowdStrike Global Threat Report. One in every three intrusion attacks leads to a cyberattacker moving laterally in under 30 minutes. CrowdStrikes’ report shows how the future of cyberattacks will be defined by increasingly advanced tactics, techniques and procedures (TTPs) aimed at bypassing technology-based defense systems to achieve their goals successfully.
Privileged credential abuse, exploiting public facing infrastructure, abusing remote services (particularly RDP) and dumping OS credentials dominate MITRE heat maps tracking intrusion activity. The MITRE analysis in the report is noteworthy for its depth of analysis. Also noteworthy, is how succinctly it captures how pervasive the threat of privileged credential abuse and identity theft is across enterprises today. Eight of the 12 MITRE ATT&CK categories are led by varying credential, RDP and OS credential abuse.
“OverWatch tracks and categorizes observed adversary TTPs against the MITRE ATT&CK Enterprise matrix. In terms of the prevalence and relative frequency of specific MITRE ATT&CK techniques used by adversaries, what stood out was that adversaries are really looking to get in and stay in,” Singh told VentureBeat. “That means establishing and maintaining multiple avenues of persistent access and seeking out additional credentials in a bid to deepen their foothold and level of access are often high on an adversaries list of objectives,”
Battling back identity siege with zero trust
Cyberattackers target identity access management (IAM) to exfiltrate as many identities as possible, and CrowdStrike’s report explains why. Abusing privileged access credentials is a proven intrusion technique that evades detection.
“One of the most concerning observations from the report is that identity remains under siege. While organizations globally are looking to evaluate or advance their zero-trust initiatives, there is most certainly still a lot of work to be done,” Singh said.
Enterprises need to fast-track their evaluation of zero-trust frameworks and define one that best supports their business objectives today and plans for the future. Enterprises need to get started on zero-trust evaluations, creating roadmaps and implementation plans to stop credential abuse, RDP and OS credential-based intrusions. Steps organizations can take today need to reinforce cybersecurity hygiene while hardening IAM and privileged access management (PAM) systems.
Getting the basics of security hygiene right firs
Zero-trust initiatives must begin with projects that deliver measurable value first. Multifactor authentication (MFA), automating patch management and continuous training on how to avert phishing or social engineering breaches are key.
Singh and his team also advise that “deploying a robust patch management program and ensuring strong user account control and privileged access management to help mitigate the potential impact of compromised credentials” is essential.
Get rid of inactive accounts in IAM and PAM systems
Every enterprise has dormant accounts once created for contractors, sales, service and support partners. Purging all inactive IAM and PAM accounts can help avert intrusion attempts.
Review how new accounts are created and audit accounts with administrative privileges
Cyberattackers launching intrusion attempts also want to hijack the new account creation process for their use. Attempting to create a more persistent presence they can move laterally from is the goal. Auditing accounts with admin privileges will also help identify if privileged access credentials have been stolen or used to launch intrusions.
“Adversaries will leverage local accounts and create new domain accounts as a means to achieve persistence. By providing new accounts with elevated privileges, the adversary gains further capabilities and another means of operating covertly, “Singh said. “Service account activity should be audited, restricted to only permitted access to necessary resources and should have regular password resets to limit the attack surface for adversaries looking for a means to operate beneath,” he says.
Change default security settings on cloud instances
Unfortunately, each cloud platform provider’s interpretation of the Shared Responsibility Model varies, which creates gaps cyberattackers can quickly capitalize on. That’s one of the many reasons Gartner predicts that at least 99% of cloud security failures through 2023 will start with user error. Param warns that organizations must understand the available security controls and not assume that the service provider has applied default settings that are appropriate for them.”
The arms race to identify intrusions
With each new series of tactics, techniques and procedures (TTPs) cyberattackers create, enterprises discover that they’re in an arms race that’s started months before or later. Incrementally changing tech stacks to replace perimeter-based systems with zero trust needs to happen. No two organizations will share the exact roadmap, framework, or endpoint strategy as each has to mold it to its core business.
Despite all their differences, one factor they all share is to get moving with zero trust to fortify IAM, PAM and identity management company-wide to avert intrusion attacks they can’t see until it’s too late. Enterprises are in an arms race with cyberattackers regarding identities they may not fully see yet, but it’s there and growing.