Your organization is constantly under attack, and every day, adversaries are developing new ways to breach your network. How can you keep them out? You need to know about today’s most common attack techniques, along with effective mitigation strategies and tactics. In this post, you’ll get up to speed on the trends observed by the CrowdStrike® Services team during incident response in 2019 — and learn about security measures you can implement to strengthen your defenses and block intruders.
For a discussion of attackers’ objectives, dwell time and initial access points, see Know Your Attackers: 2020 CrowdStrike Services Report Key Findings (Part 1 of 2). To get a complete overview of the latest threats and recommended defenses, read the entire CrowdStrike Services Cyber Front Lines Report, filled with the team’s findings from throughout 2019.
Malware and Malware-free Intrusions
One of the big stories of 2019 is that adversaries continue to rely on malware-free techniques during attacks. In 51% of the incidents CrowdStrike responded to in 2019, adversaries employed malware-free techniques at some point. In 29%, the adversary used only malware-free techniques, making it more difficult for organizations to detect and respond. Now more than ever, organizations need comprehensive visibility along with proactive threat hunting to uncover threats not identified by legacy security technologies.
One of the most notable trends in eCrime malware attacks was the use of big game hunting (BGH) techniques. This type of attack focuses on high-value data or assets within larger organizations that are highly sensitive to downtime, so the motivation is strong to simply pay a ransom and regain access. Another trend seen throughout the year was collaboration among non-state-affiliated criminal groups, where different eCrime groups handled different stages of an attack.
Top Attack Techniques
The most commonly used attack techniques focused on account compromise, often via “living off the land” (LOTL). Credential dumping and account discovery were among the three most frequent techniques observed, and the other top five attack types utilized PowerShell, scripting and command line interface.
It’s often difficult to distinguish LOTL adversary activity from the legitimate use of these same tools by network administrators. This is precisely why gaining real-time visibility and recording metadata via EDR technologies can add context to analysis that will help distinguish legitimate from illegitimate LOTL activities. The threat actor’s goal is usually to gain access to a network via legitimate credentials and escalate privileges to move laterally while masquerading as an actual user or administrator on the network. The illegitimate use of legitimate credentials can be more difficult to identify than malware and other forms of attack.
With attackers getting stealthier and more innovative than ever, organizations must know how to detect and respond to attempted intrusions. In addition to a next-gen AV (NGAV) solution such as the CrowdStrike Falcon® platform, the Services team observed four fundamental security measures frequently making a difference in preventing or detecting the top five attack techniques in a client’s environment. These measures are fairly fundamental practices, but executing them well is not always easy.
Multi-factor authentication (MFA). CrowdStrike recommends that organizations enable MFA mechanisms on all public-facing employee services and portals. This will inhibit unauthorized access to employee data and the organization’s environment, especially threat actor activity in scenarios where employee enterprise credentials may have been compromised.
Network segmentation. Security teams could implement segments in their Active Directory forests that do not inherently trust domains or organizational units within its forest. A controlled and segmented network greatly reduces the attack surface and increases the difficulty for threat actors and self-propagating malware to move within an environment.
AV/anti-malware. Organizations should implement an advanced endpoint protection agent across their environments. For maximum efficacy, it should contain machine learning, real-time AV and anti-malware capabilities, detection and prevention capabilities, and a dedicated team to monitor and coordinate any identified events.
Log analysis. When it comes to visibility within an environment, there is still no substitute for effective log analysis. Aggregating and analyzing security-relevant logs in a security incident and event management (SIEM) tool allows security teams to develop a more complete picture of what is occurring in their environments – and catch anything that might slip through the cracks.
Download the complete report for more observations gained from the cyber front lines in 2019 and insights that matter for 2020: CrowdStrike Services Cyber Front Lines Report.
- Watch an on-demand webcast that takes a deep dive into the findings, key trends and themes from the report: CrowdStrike Cyber Front Lines Report CrowdCast.
- Read a report overview by CrowdStrike CSO and Services President Shawn Henry.
- Learn more about the CrowdStrike Services team and how it can help your organization improve your cybersecurity readiness by visiting the webpage.
- Learn more about the powerful CrowdStrike Falcon platform by visiting the webpage.
- Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.