Cybersecurity is a perpetually challenging, but exhilarating field to work in. It can feel more like being on the frontline rather than working with computers – especially during a breach, because there is always a relentless, tough and very persistent opponent. Plus, as the latest industry data shows – our adversaries are getting stronger, every day.
Still, as the saying goes – the greater the villain, the greater the hero – so it’s down to us, as professionals and the cybersecurity community, to stand up and be counted for our organizations or our clients.
A growing threat to Europe
Earlier this year the European Commission announced a €1.1bn plan to counter what it sees as a growing number of cybersecurity threats, with mounting fears following multiple high-profile hacking incidents over the past 24 months, and a new wave of hacktivism connected to Russia’s invasion of Ukraine.
The latest Threat Landscape Report from The European Union Agency for Cybersecurity (ENISA) also revealed the increasing scale and complexity of attacks, with the largest ever DDoS attack ever happening in Europe in July last year. Just as dangerous are highly sophisticated AI-enabled disinformation, deepfakes and disinformation-as-a-service – bots imitating human personas are disrupting ‘notice-and-comment’ rulemaking processes and the cybersecurity community by creating a flood of fake content and commentary. ENISA’s Foresight 2030 report also makes for fascinating reading about emerging threats, including the potential for cyberattacks on, and through, Europe’s space based infrastructure and satellites.
Alongside this increased volume, scale and complexity, our own research revealed another trend we must now contend with – speed.
Field CTO Europe, CrowdStrike
Adversaries are getting faster
Any security solution created for today’s threat landscape must account for accelerating adversary speed. As revealed in CrowdStrike’s 2023 Threat Hunting Report , over the past 12 months, the average breakout time for interactive eCrime intrusion activity was just 79 minutes. Our Falcon OverWatch managed threat hunting service identified one adversary breakout time of just seven minutes.
This means that in less time than it might take to step away from a desk to make a cup of coffee, an adversary could have landed on an initial host and already moved laterally into the broader victim environment.
The speed at which threat actors are now able to develop N-day exploits – following the expanded use of zero-day vulnerabilities – also underscores the importance of accelerating vulnerability and patch management. Automated scanners have massively sped up the pace at which threat actors can leverage compromised credentials. They appear to be maintaining automated tooling to monitor services such as GitHub for leaked or stolen logins and passwords or cloud environments – and will attempt to use them within seconds of finding them.
All of which means CISOs and their teams must continually get faster at identifying, investigating, and remediating the threats they face today, and it’s our job at CrowdStrike to help them do that. Between us, we’ve now got to detect adversaries in minutes, rather than hours.
Adversaries are focusing on identity-based attacks
Another clear trend is that cyber adversaries are focusing on identity-based attacks – with these incidents often beginning with an identity compromise. Adversaries are not relying solely on compromised valid credentials, either – rather, they have demonstrated their capacity to abuse all forms of identification and authorization, including weak credentials from the underground. Our data shows 62% of interactive intrusions involved the exploitation of valid accounts. We’ve also detected a disturbing 160% spike in efforts to secure secret keys and credentials via cloud instance metadata APIs.
Contributing to this massive escalation in identity-based intrusions is a 583% increase in Kerberoasting attacks, a technique adversaries can abuse to obtain valid credentials for Microsoft Active Directory service accounts. This often provides actors with higher privileges and allows them to remain undetected in victim environments for longer.
This technique poses a significant threat to organizations because adversaries no longer need elevated privileges to execute the attack. In the past year, attacks against Kerberos were associated predominantly with eCrime adversaries, with VICE SPIDER being the most prolific eCrime adversary, responsible for 27% of all intrusions that involved the Kerberoasting technique.
Tight human-machine collaboration now essential
As the technologies and security products businesses rely on continue to evolve, so does adversary tooling and tradecraft – at a frightening pace. Our adversaries from across the threat landscape are already more agile than just a year ago and can be devastatingly fast. Responding to this modern threat requires tight human-machine collaboration with systems capable of dealing with the sheer speed, volume and advancing sophistication of attacks. When executed correctly however, teams can still rapidly surface hidden threats, massively accelerate the decision-making of security analysts and streamline the detection process.
Cybersecurity teams across Europe must prioritize ways of working even more closely with their partners, to develop new and updated strategies that raise the cost of doing business for cybercriminals. This is one area where human-driven threat hunting creates an immense amount of value. Human hunters are more than capable of pursuing evolving threats with the same tenacity, creativity, and technical proficiency we see in our adversaries.
By combining our will to win with the power of legitimate human innovation and creativity, while efficiently leveraging the joint efforts of hunters and intelligence analysts – we can continuously create and maintain an environment that leaves our adversaries with nowhere to hide.