One potential intrusion is Identified every seven minutes, finds study

Param Singh, Vice President, Falcon OverWatch at CrowdStrike

CrowdStrike, an in cloud-delivered protection of endpoints, cloud workloads, identity and data, has announced the release of the fourth annual CrowdStrike Falcon OverWatch threat hunting report: Nowhere to Hide: 2022 Falcon OverWatch Threat Hunting Report.

What were the findings of the report?

CrowdStrike’s global research report reveals a record 50% year-over-year (YoY) increase of hands-on intrusion attempts, and distinct changes in attack trends and adversary tradecraft.

Falcon OverWatch threat hunters identified over 77,000 potential intrusions, or about one intrusion every 7 minutes. These are instances where proactive, human-led threat hunting uncovered adversaries actively carrying out malicious techniques at various stages of the attack chain, despite attackers’ efforts to covertly evade autonomous detection methods.

Falcon OverWatch calculated that the breakout time (i.e the time it takes an adversary to move laterally from initial compromise to other hosts within the victim environment) for eCrime adversaries has fallen to one hour and 24 minutes – compared to one hour and 38 minutes reported by Falcon OverWatch in the 2022 CrowdStrike Global Threat Report.

Falcon OverWatch found that in about one-third (30%) of those eCrime intrusions, the adversary was able to move laterally in under 30 minutes. These findings underline the speed at which threat actors evolve tactics, techniques and procedures (TTPs), and are capable of bypassing even the most sophisticated tech-based defense systems to successfully.

What were the executive’s thoughts on the findings?

“Over the past 12 months, the world has faced new challenges spurred by economic pressures and geopolitical tensions, backdropping a threat landscape that is as complicated as ever,” commented Param Singh, Vice President, Falcon OverWatch at CrowdStrike.

“To thwart brazen threat actors, security teams must implement solutions that proactively search for hidden and advanced attacks every hour of every day. The combination of the CrowdStrike Falcon platform with the telemetry, tooling, threat intelligence and human ingenuity of Falcon OverWatch managed threat hunting protects organizations globally against the most sophisticated and stealthy threats,” Param Singh further commented.

What were the research insights?

Other key insights from the report include:

  • eCrime is the top threat type for interactive intrusion campaigns. eCrime accounted for 43% of interactive intrusions, while state-nexus actors accounted for 18% of activity. Hacktivists accounted for just 1% of interactive intrusion campaigns, with the remaining intrusions unattributed.
  • Adversaries shifting away from malware. Malware-free threat activity was 71% of all detections indexed by the CrowdStrike Threat Graph. The predominance of malware-free activity is related, in part, to adversaries’ abuse of valid credentials to facilitate access and persistence in victim environments. Another factor is the rate at which vulnerabilities are being disclosed and the speed with which adversaries are able to operationalize exploits.
  • Technology is the top industry targeted for interactive intrusions.The top five industries targeted overall were technology (19%), telecommunications (10%), manufacturing (7%), academic (7%) and healthcare (7%). Of note, technology was targeted 90% more frequently by interactive intrusions than the second-most targeted industry.
  • Telecommunications is the top industry for targeted intrusions by nation-state actors. The top five industries targeted overall were telecommunications (37%), technology (14%), government (9%), academic (5%) and media (4.5%).

The telecom industry is preyed on for fulfillment of state-sponsored surveillance, intelligence and counterintelligence collection priorities. Of note, telecommunications faced 163% more targeted intrusions by state-nexus actors than the second-most targeted industry.

  • Healthcare finds itself in the crosshairs of Ransomware-as-a-Service (RaaS). The volume of attempted interactive intrusions against the healthcare industry has doubled year-over-year. A significant majority of these intrusions have been attributed to eCrime.

The report includes insights from Falcon OverWatch’s global threat hunting operations from July 1, 2021 through June 30, 2022, and outlines in-depth attack data and analysis.