Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
In 2019, the ratio of malware to malware-free attacks leveled out to 49% and 51% respectively. Previously in 2018, this had been 60% malware and 40% malware-free. CrowdStrike defines malware-free as attacks that do not result in a file or file fragment being written to disk, examples would be where code executes from memory or an Account Takeover attack where stolen credentials are leveraged. These attacks are typically more difficult to detect and require more sophisticated techniques such as behavioural detection and human threat hunting to identify and remediate reliably.
For the 2018 Global Threat Report, CrowdStrike began reporting on the average breakout time of attacks. This is a measure of the speed in which an attacker gains initial access to lateral movement across the targeted organisation’s network toward their goal. This is a key metric for businesses as it gives an understanding of how quickly your organisation needs to be able to detect and remediate in order to minimise potential damage.
The average breakout time has almost doubled from 2018 to 2019, at 4 hours 37 minutes to 9 hours respectively. Although it may seem as though businesses have more leeway to detect and respond, organisations should still be focussed on achieving remediation as quickly as possible. The increase in breakout time has been linked to the rise in eCrime, which tends to have longer breakout times, but this is just one part of the threat landscape and other techniques have considerably lower breakout time averages.
In 2019 the top 3 execution attack technique trends were identified as;
The masquerading technique has shown the greatest increase, with others staying constant to previous years, which CrowdStrike attributes to the uptake in the use of an exploit named EternalBlue in the wild.
Ransomware remains a pervasive threat throughout 2019, and we have seen it across the media for various industries such as healthcare, legal and government. This was the most lucrative enterprise for eCrime adversaries, with soaring ransom demands into the millions. Many ransomware families began adopting Ransomware-as-a-Service (RaaS) and big game hunting techniques (BGH), with developers of RaaS models receiving a share of profits that their affiliates collect from successful ransomware infections.
One specific example identified by CrowdStrike’s report from early April 2019, saw a BGH intrusion against a large network. During this attack attempt, the adversary deployed ransomware known as Dharma, which fortunately was successfully blocked by CrowdStrike’s Falcon platform. What CrowdStrike was able to determine though is that this piece of ransomware is highly configurable and operates on an affiliate-based system. The threat actors are able to gain access to the systems by exploiting vulnerable machines, or brute-force passwords for machines with weak or predictable credentials.
Some of the recommendations Infotrust would suggest to businesses to mitigate this kind of threat include;
Of all eCrime attacks, ransomware accounted for 26% of these in 2019. Other prevalent attacks included; banking trojans, spambots, Business Email Compromise, and malware-as-a-service developers.
One technique identified that was particularly interesting and innovative was email thread hijacking. Attackers run Emotet spam campaigns to harvest a user’s email content. After the victim’s email content has been stolen, the exploit identifies email threads by subject lines and formulates a reply to a thread. This technique increases the likelihood of the victim clicking on a link or opening an attachment because the sender appears to be someone they’ve previously communicated with or know in real life. It is likely this kind of tactic is used to support ransomware campaigns.
It’s predicted that in 2020 eCrime gangs will continue to target financial institutions and other companies, but increasing their campaigns outside of Europe and the United States.
It will be of no surprise to most that ransomware, credential exploitation, and social engineering will continue to be the top threats in 2020. With each technique, adversaries are becoming more sophisticated and pivoting quickly in order to remain effective and ahead of the curve.
Infotrust is excited to announce that we have partnered with CrowdStrike to provide a free 15 day free trial of the Falcon Prevent solution, CrowdStrike’s Next Generation Anti-Virus. This free trial provides visibility into the threats and detections your legacy endpoint protection may be missing and provides actionable threat intelligence from CrowdStrike that can be utilised to protect your endpoints from real threats that currently exist in the wild.
To find out more click here.