CrowdStrike 2024 Global Threat Report: Adversaries Gain Speed and Stealth

The CrowdStrike 2024 Global Threat Report delivers the details of key threats and trends that defined the 2023 threat landscape, the adversaries driving this activity and the steps you can take to defend your organization in the year ahead.

The CrowdStrike Global Threat Report, now in its tenth iteration, examines how adversaries’ behavior poses an ever-expanding risk to the security of organizations’ data and infrastructure. Armed with this critical information, organizations are better equipped to face evolving threats.

Stealth was the pervading theme of the 2023 threat landscape. Adversaries have faced a difficult attack surface due to advancements in threat awareness and technology, and they have responded with tactics that empower them to move faster and evade detection. Over the past year, CrowdStrike Counter Adversary Operations (CAO) observed eCrime groups, nation-state threat actors and hacktivists working to maximize the speed, stealth and impact of their attacks.

Learn more: Download the CrowdStrike 2024 Global Threat Report

Adversaries continue to accelerate. The average eCrime breakout time — the time it takes for an adversary to move from an initially compromised host to another within the organization — was only 62 minutes in 2023, down from 84 minutes the previous year. The fastest recorded breakout time was only 2 minutes and 7 seconds.

There’s a human at the keyboard behind most of today’s attacks. Interactive intrusions were up 60% in 2023, and 75% of attacks used to gain initial access were malware-free. Adversaries are moving away from malware and malicious attachments, and toward more subtle and effective methods such as credential phishing, password spraying and social engineering. With stolen identities, the adversary can then log in with legitimate credentials, now among the fastest and most common ways for them to gain access. The market for stolen identities continues to grow: In 2023, CrowdStrike CAO observed a 20% jump in access broker advertisements selling valid credentials.

As organizations continue to move operations to the cloud, adversaries are quickly developing skills to exploit gaps in protection. CAO observed a 75% increase in cloud intrusions.

 

Adversaries leveraged identity-based techniques to gain access, persist and escalate privileges in cloud environments. These findings around interactive intrusions, breakout time, cloud attacks and access broker activity collectively illustrate a key theme of this year’s report: Identities are primary enablers of intrusions, and protecting them is essential to stop today’s adversaries.

CAO now tracks more than 230 adversaries — including 34 new adversaries identified in 2023. Stopping breaches requires understanding these adversaries, including their motivations and the techniques they use to target organizations. Below are more trends and findings we explore in this year’s report:

  • Third-party relationship exploitation: Adversaries consistently worked to exploit vendor-client relationships using two key methods: exploiting access to vendors supplying IT services, and compromising the software supply chain using trusted software to spread malicious tools.
  • Generative AI use is poised to grow: In 2023, we observed nation-state actors and hacktivists experimenting with generative AI to democratize attacks and lower the barrier to entry for more sophisticated operations. Generative AI will likely be used for cyber activities in 2024 as it continues to grow in popularity.
  • Potential to disrupt global elections: With more than 40 democratic elections scheduled in 2024, nation-state and eCrime adversaries will have numerous opportunities to disrupt the electoral process or sway voter opinion. Nation-state actors from China, Russia and Iran are highly likely to conduct mis- or disinformation operations to sow disruption against the backdrop of geoconflicts and global elections.

Announcing: CrowdStrike Falcon Adversary Modules

Today, we are announcing three new CAO products that bring together our elite threat hunters and industry-leading threat intelligence — an industry-first combination with unmatched power to pursue and stop adversaries. These offerings are built to hunt down threat actors, accelerate investigation and response time, and fortify defenses. Let’s take a closer look:

CrowdStrike Falcon® Adversary OverWatch™: Round-the-clock protection across endpoint, identity and cloud workloads is delivered by AI-powered threat hunting experts, and built-in threat intelligence exposes adversary tactics, vulnerabilities and stolen credentials.

CrowdStrike Falcon® Adversary Intelligence: End-to-end intelligence automation cuts response time across the security stack and empowers security teams to instantly submit potential threats to an AI-powered sandbox, extract indicators of compromise and deploy countermeasures — all while continuously monitoring for fraud and protecting your brand, employees and sensitive data.

CrowdStrike Falcon® Adversary Intelligence Premium: World-class intelligence reporting, technical analysis and threat hunting and detection libraries enable organizations to lower the time and cost required to understand and defend against sophisticated nation-state, eCrime and hacktivist adversaries.

To stop today’s adversaries, we must first understand their tactics, techniques and motivations. CrowdStrike pioneered the concept of adversary-focused cybersecurity because it’s the best way to protect organizations. With our collection of intelligence, we know the adversary better than anyone. I hope you find the CrowdStrike 2024 Global Threat Report informative in our shared fight against today’s threats.

Additional Resources

Breaches Stop Here