Hands-on intrusion attempts increased by a record 50% year-over-year in 2022 amid distinct changes in attack trends and adversary tradecraft, according to the fourth annual CrowdStrike Falcon OverWatch threat hunting report.
The report includes insights from Falcon OverWatch’s global threat hunting operations from July 1, 2021 through June 30, 2022.
Falcon OverWatch threat hunters identified more than 77,000 potential intrusions, or approximately one potential intrusion every seven minutes.
These are instances where proactive, human-led threat hunting uncovered adversaries actively carrying out malicious techniques at various stages of the attack chain, despite attackers’ best efforts to covertly evade autonomous detection methods.
Falcon OverWatch calculated that the breakout time — the average time it takes an adversary to move laterally from initial compromise to other hosts within the victim environment — for eCrime adversaries has fallen to one hour and 24 minutes from one hour and 38 minutes.
Moreover, Falcon OverWatch found that in close to one-third (30%) of those eCrime intrusions, the adversary was able to move laterally in under 30 minutes.
These findings underline the speed and scale at which threat actors evolve their tactics, techniques, and procedures (TTPs), and are capable of bypassing even the most sophisticated technology-based defense systems to successfully achieve their goals.
“To thwart brazen threat actors, security teams must implement solutions that proactively search for hidden and advanced attacks every hour of every day,” said Param Singh, VP of Falcon OverWatch at CrowdStrike.
The report also found that eCrime is the top threat type for interactive intrusion campaigns, accounting for 43% of interactive intrusions.
Meanwhile state-nexus actors accounted for 18% of activity. Hacktivists accounted for just 1% of interactive intrusion campaigns, with the remaining intrusions unattributed.
Also, adversaries continue shifting away from malware. Malware-free threat activity accounted for 71% of all detections indexed by the CrowdStrike Threat Graph.
The predominance of malware-free activity is related, in part, to adversaries’ prolific abuse of valid credentials to facilitate access and persistence in victim environments. Another factor is the rate at which new vulnerabilities are being disclosed and the speed with which adversaries are able to operationalize exploits.
Technology is the top industry targeted for interactive intrusions (19%), followed by telecommunications (10%), manufacturing (7%), academic (7%) and healthcare (7%).
Telecommunications is the top industry for targeted intrusions by nation-state actors (37%), followed by technology (14%), government (9%), academic (5%) and media (4.5%).
The telecommunications industry continues to be preyed on for fulfillment of state-sponsored surveillance, intelligence and counterintelligence collection priorities.
Further, healthcare was in the crosshairs of Ransomware-as-a-Service (RaaS). The volume of attempted interactive intrusions against the healthcare industry has doubled year-over-year. A significant majority of these intrusions have been attributed to eCrime.
