Couldn’t attend Transform 2022? Check out all the top sessions in our on-demand library now! Look here.
Organizations are lagging behind the accelerating pace of cyber-attacks in abandoning malware for stolen privileged credentials and ‘life of the countryburglary techniques. CrowdStrikes’ Latest Falcon OverWatch Threat Hunt report found a solid shift in attack strategy towards the malware-free intrusion activity that accounts for 71% of all detections indexed by CrowdStrike Threat Chart.
The report paints a sobering picture of how complex and fast opponents’ attack strategies adapt to avoid detection.
“A key finding from the report was that more than 60% of the interactive intrusions observed by OverWatch involved the use of valid credentials, which are still being misused by adversaries to facilitate first-time access and lateral movement,” said Param Singh, vice president. Falcon president. OverWatch at CrowdStrike.
Cyber attackers are increasingly exploiting privileged credentials and associated identities that later move across networks. Cybercrime accounted for 43% of interactive burglaries, while state nexus actors accounted for 18% of activity. Severe cybercrime indicates that financial motives dominate the break-in attempts.
Event
MetaBeat 2022
MetaBeat will bring together thought leaders to offer advice on how metaverse technology will change the way all industries communicate and do business October 4 in San Francisco, CA.
Register here
Cyber attacks continue to outsmart companies
CrowdStrike found that cyber attackers focus on techniques that avoid detection and scale quickly. Cyber attackers outsmart companies with undetectable intrusion techniques. CrowdStrike’s research found a record 50% year-over-year increase in hands-on break-in attempts and more than 77,000 potential break-ins. Human threat hunters found that adversaries were actively carrying out malicious techniques throughout the attack chain, despite cyber attackers’ efforts to evade autonomous detection methods.
It only takes one hour and 24 minutes to go from the first point of compromise to other systems. That’s less than an hour and 38 minutes originally reported by Falcon OverWatch in the 2022 CrowdStrike Global Threat Report. One in three intrusion attacks results in a cyber attacker moving sideways in less than 30 minutes. The CrowdStrikes report shows how the future of cyber-attacks will be shaped by increasingly sophisticated tactics, techniques and procedures (TTPs) aimed at evading technology-based defense systems to successfully achieve their goals.
Abuse of privileged credentials, exploitation of public infrastructure, abuse of external services (especially RDP) and OS credential dumping dominate MITER heat maps that track intrusion activity. The MITER analysis in the report stands out for its in-depth analysis. Also noteworthy is how succinctly it reflects how pervasive the threat of privileged credential abuse and identity theft is in enterprises today. Eight of the 12 MITER ATT&CK categories are led by various misuses of credentials, RDP and OS.
“OverWatch tracks and categorizes perceived opponents’ TTPs against the MITER ATT&CK Enterprise matrix. In terms of the prevalence and relative frequency of specific MITER ATT&CK techniques used by adversaries, what stood out was that adversaries were really looking forward to coming in and staying inside,” Singh told VentureBeat. “That means establishing and maintaining multiple avenues of permanent access and seeking additional credentials in an effort to gain a foothold and access level is often high on opponents’ target lists,”
Fighting Identity Siege Without Trust
Cyber attacks target Identity Access Management (IAM) to exfiltrate as many identities as possible, and CrowdStrike’s report explains why. Abusing privileged credentials is a proven intrusion technique that evades detection.
“One of the most disturbing observations from the report is that identity continues to come under attack. As organizations around the world look to evaluate or advance their zero-trust initiatives, there is certainly still a lot of work to be done,” said Singh.
Enterprises need to accelerate their evaluation of zero-trust frameworks and define one that best fits their business goals today and plans for the future. Enterprises need to get started with zero-trust assessments, roadmaps and implementation plans to stop credential abuse, RDP-based intrusion and operating system intrusion. Measures that organizations can take today should strengthen cybersecurity hygiene while strengthening IAM and privileged access management (PAM) systems.
Get to grips with the basics of security hygiene first
Zero trust initiatives should start with projects that deliver measurable value first. Multi-factor authentication (MFA), patch management automation, and continuous training on how to prevent phishing or social engineering breaches are key.
Singh and his team also advise that “implementing a robust patch management program and ensuring strong user account management and privileged access control to mitigate the potential impact of compromised credentials” is essential.
Get rid of inactive accounts in IAM and PAM systems
Every enterprise has dormant accounts once created for contractors, sales, service, and support partners. Cleaning all inactive IAM and PAM accounts can help prevent intrusion attempts.
See how new accounts are created and check accounts with administrator privileges
Cyber attackers launching intrusion attempts also want to hijack the new account creation process for their use. The goal is to try and create a more sustained presence that allows them to move sideways. Verifying accounts with administrative privileges can also help you determine whether privileged access credentials have been stolen or used to initiate break-ins.
“Children will use local accounts and create new domain accounts as a means of achieving persistence. Providing new accounts with elevated privileges will give the adversary more options and another way to operate covertly,” Singh said. monitored, limited to only allowed access to necessary resources, and must be reset regularly to reduce the attack surface for attackers looking for a way to operate beneath it,” he says.
Change default security settings on cloud instances
Unfortunately, every cloud platform provider’s interpretation of the Shared responsibility model varies, creating gaps that cyber attackers can quickly address. That’s one of the many reasons Gartner predicts that at least 99% of cloud security mistakes until 2023 starts with a user error. Param cautions that organizations should understand the security measures available and not assume that the service provider has applied default settings that are appropriate for them.”
The arms race to identify burglaries
With each new set of tactics, techniques and procedures (TTPs) that cyber attackers create, enterprises find themselves in an arms race that started months earlier or later. It must incrementally change from tech stacks to replace perimeter-based systems without trust. No two organizations will share the exact roadmap, framework, or endpoint strategy as they all need to align them with their core business.
Despite all their differences, one factor they all share is to move without confidence to strengthen IAM, PAM, and identity management across the company to avert intrusion attacks that they can’t see until it’s too late. Enterprises are in an arms race with cyberattacks involving identities that they may not fully see yet, but it is there and growing.
The mission of VentureBeat is a digital city square for tech decision makers to gain knowledge about transformative business technology and transactions. Discover our briefings.
