Know Your Attackers: 2020 CrowdStrike Services Report Key Findings (Part 1 of 2)

January 29, 2020

| | From The Front Lines
The cybersecurity landscape is always evolving, but one thing remains constant: Cyber adversaries continue to be relentless and innovative in their efforts to find gaps in your organization’s security and leverage them for their own gain. This blog offers highlights from this year’s CrowdStrike Services Cyber Front Lines Report that illustrate the importance of knowing your attackers — what their objectives are, how they gain initial access to a network and what techniques they use once inside. The findings in the CrowdStrike Services report are based on real-world engagements by our seasoned incident response (IR) investigators who face sophisticated adversaries and the challenges they present on a daily basis. The notable trends and themes observed throughout 2019 are drawn from a wide range of public and private organizations spanning many countries, regions and industry sectors. Here’s a snapshot of six key takeaways from the report:
  1. Business disruption remains the main attack objective, followed by data theft and monetary loss.
  2. Dwell time increased, due to advanced adversaries employing stronger countermeasures and remaining hidden longer — but more organizations improved their attack self-identification
  3. Spear-phishing again topped the list of initial attack vectors. Others were web attacks, compromised credentials and supply chain compromise.
  4. Malware-free intrusions are becoming more prevalent.
  5. The most common attack techniques involved account compromise, often via “living off the land.”
  6. Effective mitigations include better Active Directory and operating system configuration, credential access protection, privileged account management, application isolation, sandboxing and more.
This blog covers the first three points, with the latter three addressed in Part 2, which will cover the common types of attacks observed and mitigation recommendations. You can read an overview of this year’s report in a blog by CSO and President of CrowdStrike Services Shawn Henry.

 

Business Disruption, Data Theft and Monetary Loss

In 36% of the incidents that CrowdStrike Services investigated in 2019, business disruption was the main attack objective. Most often, the attack involved ransomware, destructive malware or denial of service (DoS) attacks. While the main goal in a ransomware attack is usually financial gain, the resulting business disruption often outweighs the ransom amount. However, this balance may be shifting again — eCrime actors substantially increased their ransom demands over the past year. Data theft was observed in 25% of investigated breaches — this includes theft of intellectual property (IP), personally identifiable information (PII) and personal health information (PHI). IP theft has been linked to numerous nation-state adversaries that specialize in targeted intrusion attacks, whereas PII and PHI data theft can enable both espionage and criminally motivated operations. These types of information may be used by a cyber espionage actor to build a dossier on a high-profile target, or a cybercriminal may sell or ransom the information. With ransomware reclassified under business disruption, monetary loss accounted for just 10% of attacks in 2019. This category includes crimeware, formjacking, cryptojacking and more. Monetary loss was the primary type of damage inflicted in government/education and retail, whereas business disruption was the primary damage in manufacturing and healthcare.

Dwell Time

CrowdStrike Services observed an increase in dwell time — the time between when a compromise first occurs and when it is detected. Average dwell time grew 10 days to 95 in 2019, up from 85 in 2018. Why? Advanced adversaries and state-sponsored threat actors are applying countermeasures that allow them to remain undetected for a protracted length of time — particularly in environments protected by legacy security technologies. These findings underscore the need to implement proactive threat hunting in order to uncover attacks early. When breaches with dwell time greater than one year are excluded, the average drops to approximately 60 days, which represents how long eCrime actors typically spend within an environment conducting reconnaissance about the target environment before executing their attacks. But dwell time of one day can be far too long. CrowdStrike recommends that organizations follow the “1-10-60 rule” as a best practice: one minute to detect an intrusion, 10 minutes to investigate and 60 minutes to remediate. Organizations that meet the 1-10-60 rule can dramatically improve their chances of staying ahead of the adversary and stopping a potential breach from occurring. However, only 16% of organizations that the Services team engaged with in 2019 had experienced a compromise with an average dwell time of one day or less. ( The vast majority of Services engagements involved organizations that did not have the CrowdStrike Falcon®® platform installed. However, there was a small percentage in the process of implementing Falcon and had not fully deployed or configured it, and others that experienced an event outside the boundaries of the Falcon platform.) As a result, most organizations are still failing to quickly detect intruders and kick them out.

 

Attack Self-Identification

One improvement noted in the Services report is that organizations have continued to increase their ability to self-detect and respond to breaches, without external notifications. In 2019, 79% of organizations that engaged CrowdStrike for incident response (IR) investigations were able to internally detect an intrusion, up from 75% in 2018 and 68% in 2017. The shift is due in part to C-level executives improving their understanding of cyber risk — and subsequently investing in security to help protect their organizations and customers. As a direct result of executive support, organizations are making a greater effort to mature their security operations and are particularly focusing on detection. However, investment must cover the entire security stack — including endpoint detection and response tools (EDR), threat intelligence, proactive managed hunting and managed remediation services — if organizations are to continue improving their ability to self-detect.

Watch an on-demand webcast where CrowdStrike Services IR experts take a deep dive into the key findings, insights and themes in the Cyber Front Lines Report.

Spear-phishing and Other Attacks

In 2019, the most common ways that attackers initially gained access to a network were through spear-phishing (35%), web attacks (16%), compromised credentials (16%) and supply chain compromise (6%). In the spear-phishing cases observed, 19% used attachments in a spear-phishing email, 15% used spear-phishing with a malicious link and 1% employed spear-phishing via a service. In cases involving web attacks, 12% of the breaches involved an exploit of a public-facing application and 4% resulted from a drive-by compromise. The prevalence of compromised credentials as an initial attack vector decreased from 2018, but it was the most common technique seen in the attack lifecycle, often used to move laterally within a network. A possible reason for the decline could be wider adoption of multifactor authentication (MFA). Third-party compromises like those observed in the software supply chain have the potential to be farther reaching than attacks originating from other vectors due to the challenges in preventing them and the damage they can inflict. Common supply chain attacks in 2019 involved remote administrative software, shared connectivity with a managed service provider and third-party script attacks on websites.

More 2019 Findings, Trends and Insights

Watch for Part 2 covering common types of attacks seen in 2019 and how to mitigate them in 2020. Download the complete report and learn observations gained from the cyber front lines of IR and proactive services in 2019 and insights that matter for 2020: CrowdStrike Services Cyber Front Lines Report.

Additional Resources:

 

Breaches Stop Here