The CrowdStrike Global Threat Report for 2024 highlights a rapidly evolving cyber threat landscape. The sophistication and speed of cyberattacks are skyrocketing, with adversaries leveraging identity-based tactics, exploiting unmanaged device vulnerabilities, and even capitalizing on trusted relationships for initial access.
Several key takeaways warrant attention in response to the disturbing trends highlighted in the report:
- 1. The increase in identity-based attacks signals a need for more sophisticated identity and access management solutions.
- 2. The susceptibility of unmanaged devices underscores the importance of comprehensive asset management and endpoint protection strategies.
- 3. The exploitation of trusted relationships stresses the importance of zero-trust architectures.
- 4. Adversaries continue to gain in stealth and speed, increasing their ability to complete their mission before becoming discovered.
Adversaries are continuing to accelerate: can the defense keep up?
The CrowdStrike 2024 Global Threat Report emphasizes the need for organizations to prioritize identity protection, cloud security, and efficient cybersecurity practices, given the increasing threats posed by hacktivism, targeted intrusions, and eCrime.
-
Adversaries are gaining in speed and stealth
Adversaries value speed of execution; rapid execution increases the ability to complete the mission. With the increased sophistication and tooling available to adversaries, the offensive activity is being completed quickly.
Adversary tactics are evolving. Adversaries are gaining in speed and stealth. Fast-moving and stealthy threats represent an increased risk for cyber defense, and adversaries can compromise critical assets without being detected.
Significant reduction in adversary breakout time
After obtaining this initial access to an endpoint, adversaries seek to move laterally to gain access to critical assets (such as important servers and sensitive data). Adversaries perform endpoint, catalog, and network reconnaissance, gain access to credentials, escalate privileges, establish persistence, and attempt to disable security controls, which are some of the early stages of the offensive lifecycle prior to lateral movement.
The time from the point of initial access to the lateral movement is known as the “breakout time.” CrowdStrike Global Threat Report 2024 indicates that the average breakout time sharply decreased to 62 minutes in 2023 from 84 minutes in 2022, a significant reduction. The fastest observed breakout time was just 2 minutes and 7 seconds.
The advances in offensive security and AI for offense indicate that the breakout time will reduce even further in 2024 and beyond.
Identity-driven exploits
The threat report indicates that adversaries spend over 88% of their time obtaining initial access. Adversaries are migrating to identity-driven exploits to gain initial access by obtaining legitimate credentials from initial access brokers (IAB). This reduces the need for malware-based exploits and brute force attempts, significantly reducing the time for initial access.
Adversaries also leverage identities for lateral movement within the organization.
Increase in stealth
The threat report indicates that adversaries are leveraging stealthy offensive techniques to avoid detection and complete their mission. As defenses have strengthened their security posture by deploying EDR and other forms of traditional detection, adversaries are increasing their focus on stealthy offensive techniques to evade detection.
Malware-free attacks dominate
The threat report indicates that over 75% of all attacks are malware-free and leverage built-in utilities and tools for living off-the-land (LotL) exploits. This enables adversaries to evade detection by AV/EPP tools, increasing stealth. The report indicates a significant 60% YoY increase in interactive intrusion campaigns.
Attacks against unmanaged devices and EOLed endpoints
Adversaries target unmanaged devices, such as edge network devices, for initial access. Adversaries are also targeting EOLed endpoints due to the lack of EDR presence. These unmanaged endpoints represent an important attack surface, with over 25% of all attacks originating from an unmanaged endpoint.
The golden parameters for cyber defense: time to detect and time to respond
For cyber defense teams, detecting the threat, confirming the presence of malicious activity, and establishing response actions to isolate the endpoint/network before the adversary breakout is essential. This ensures that critical assets are protected and the breach is stopped.
This is the overall window of opportunity for defenders and is known as the time window for threat detection and response. This equation is based on fundamental principles and continues to be valid.
Time to detect < Adversary breakout time
After the detection event, security teams perform investigation actions to confirm the threat and initial response actions to contain the threat. During this time window, the adversary continues to be active on the endpoint, having opportunities to evade defenses to disable response actions and establish stealthy persistence to continue the exploit even if containment actions were initiated.
Time to investigate and respond needs to be minimized to prevent adversary persistence and defense evasion attempts.
The threat report provides an outline of an example of an eCrime threat.
Source: CrowdStrike Global Threat Report 2024
In this attack example, the time window for threat detection needs to be less than the adversary breakout time (31 seconds + 2 minutes 55 seconds + 2 minutes 57 seconds = 6 minutes 22 seconds). The adversary breakout time includes the time for endpoint reconnaissance, bringing offensive tooling, and attempting lateral movement.
Time window to detect < adversary breakout time (6 minutes 22 seconds)
In the attack example, the adversary attempted defense evasion by disabling security software on the endpoint. The adversary had a window of 4 minutes 38 seconds + 15 minutes to attempt defense evasion or persistence actions. The time window for threat investigation and response was 19 minutes 38 seconds in this example. Minimizing the investigation and response times would prevent adversaries from defense evasion or persistence attempts.
Accelerated adversary actions have implications for cyber defense
The threat report indicates a significant reduction in adversary breakout time in 2023. This trend will likely continue and accelerate further in 2024, with increased availability of advanced offensive tooling for adversaries.
As the adversary continues to accelerate, defense teams need to adopt strategies to reduce the time for threat detection and response.
This strategy is contingent on a set of primary goals:
- Early threat detection: detecting the threat early in the offensive actions after the initial access reduces the overall detection time. A strategy that enables detection during the initial access phase would be even more effective.
- Precise threat detection: strengthening the fidelity of the threat detection reduces the need for manual alert investigation and enables automated response workflows, reducing the overall response time.
To achieve these goals, defense teams can adopt a defense-in-depth approach that combines a set of carefully chosen, non-overlapping, and interlocked detection layers optimized for early and precise threat detection.
How deception technology accelerates threat detection and response
Deception serves as a proactive defense strategy, deploying decoy assets and lures that disorient and distract attackers, thereby allowing for early detection and mitigation of attacks. Deception technology efficiently predicts the adversary’s goals, setting relevant traps based on the objectives and observing for adversary interaction with the traps.
Deceptions are not part of the organization’s existing workflows. Any use of deceptions is indicative of malicious activity, providing immediate and high-fidelity threat detection.
By introducing a set of carefully placed deceptions into the environment, defense teams gain the ability to detect threats early. The high-fidelity detection eliminates the need for manual alert correlation, providing actionable alerts that can trigger automated response workflows to isolate the threat.
Adversaries that gain initial access to an endpoint perform endpoint reconnaissance, attempt to escalate privileges, look to disable existing defenses, and gain access to credentials before attempting lateral movement.
Deceptions deployed on endpoints enable detection of the initial stages of the adversary actions on the endpoint, providing early threat detection and reducing the detection time.
Identity deceptions enable detection at the initial access stage, enabling detection even before the initial access has been obtained or completed.
Adversary stealth is another important characteristic highlighted in the threat report. Organizations can deploy deceptions in identity stores and the network in addition to endpoints, enabling deception-based detection of stealthy adversary actions that evade other detection layers, such as threats targeting EOLed endpoints.
In the eCrime example discussed in the report, identity deceptions enable detection of initial access, endpoint deceptions enable early detection on the endpoint, and a comprehensive deception deployment enables detection of threats that bypass traditional detection layers.
Source: CrowdStrike Global Threat Report 2024
It’s also worth highlighting deception technology and how it uniquely addresses the challenge of identity protection by creating a layer of complexity for attackers attempting to exploit identities. Within this sophisticated framework, decoy identities and credentials are interspersed with real assets, making it exceedingly difficult for cybercriminals to discern genuine targets. When attackers, lured by these decoy assets, attempt to use fake credentials or access decoy systems, their privilege escalation and lateral movement actions trigger alerts. This instant notification mechanism enables security teams to respond rapidly, potentially halting attacks before they breach critical systems. This methodology is pivotal as it transforms how organizations shield against identity-based attacks, converting potential vulnerabilities into strategic assets for cybersecurity defense.
Acalvio, as a leading deception technology provider in the marketplace, has taken great strides in its innovations, removing deployment and scalability issues of the past. Acalvio integrates seamlessly with CrowdStrike, a combination that provides organizations with an easy and effective method to build deception into their cybersecurity architecture. The integration allows for swift deployment of deception assets across the network, eliminating the need for additional agents or complicated configurations. This marriage delivers quantifiable visibility, detection, and response capabilities to the CrowdStrike Falcon platform. The result is numerous key benefits: early threat detection through tripwires, enhanced incident response from insights into attacker TTPs, a proactive defense strategy that diverts attention from genuine assets, and the generation of valuable threat intelligence.
The CrowdStrike report is a powerful report highlighting organizations’ need to adopt proactive defense strategies. Deception technology, such as that offered by Acalvio, provides a highly effective solution to enhance cybersecurity operations. By integrating Acalvio’s agentless technology with CrowdStrike’s advanced cybersecurity platform, organizations can generate a significant edge in detecting, responding to, and mitigating digital threats.
Remember, deception might be your best defense strategy in a world of advanced cyber threats. Stay vigilant, stay safe.
Authors
Suril is VP Engineering at Acalvio Technologies. Suril has led engineering for industry leading cybersecurity offerings. Suril has deep domain expertise in cybersecurity and holds multiple patents.
