CrowdStrike has released its sixth annual Threat Hunting Report for 2023, shedding light on critical insights gathered by its expert threat hunters and intelligence analysts. This comprehensive report delves into the evolving landscape of cyber threats and adversary tactics, focusing on a range of attack trends observed between July 2022 and June 2023.
Key findings from the report include:
- Massive Increase in Identity-Based Intrusions: The report reveals a staggering 583% increase in Kerberoasting identity attacks. This technique allows adversaries to gain access to valid credentials for Microsoft Active Directory service accounts, granting them higher privileges and prolonged stealth in victim environments. The use of valid accounts for interactive intrusions rose to 62%, while attempts to gather credentials via cloud instance metadata APIs surged by 160%.
- Growing Use of Legitimate RMM Tools: Adversaries are increasingly turning to legitimate and well-known remote IT management applications to blend into enterprise environments and evade detection. This trend is highlighted by a 312% year-over-year increase in adversaries leveraging legitimate Remote Monitoring and Management (RMM) tools for unauthorized activities.
- Record Low Adversary Breakout Time: The report exposes a record low average adversary breakout time of 79 minutes. This metric indicates the speed at which adversaries move laterally within compromised environments, demonstrating their growing efficiency and ability to bypass traditional detection methods. The fastest breakout time recorded was an astonishing seven minutes.
- Surge in Financial Industry Intrusions: The financial sector experienced an alarming 80% year-over-year increase in interactive intrusions, defined as intrusions involving direct keyboard activity. Interactive intrusions overall saw a 40% increase.
- Adoption of Linux Privilege-Escalation Tools: Adversaries demonstrated a threefold increase in the use of Linux privilege-escalation tool linPEAS to exploit cloud environments. This tool provides access to cloud environment metadata, network attributes, and various credentials, offering adversaries new avenues for exploitation.
The report also highlights the growing significance of access broker advertisements, which surged by 147% on criminal and underground communities. This phenomenon makes valid accounts readily accessible for sale, enabling both novice and established adversaries to conduct criminal operations and refine their post-exploitation tactics.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, emphasized the evolving threat landscape and the need for proactive security measures: “Adversaries are getting faster and they are employing tactics intentionally designed to evade traditional detection methods. Security leaders need to ask their teams if they have the solutions required to stop lateral movement from an adversary in just seven minutes.”
CrowdStrike’s Threat Hunting Report serves as a crucial resource for cybersecurity professionals, providing insights into the dynamic nature of cyber threats and the necessity of adapting security strategies to counteract rapidly evolving adversary tactics.