Update: CrowdStrike’s 2020 Global Threat Report is now available! Download the report to stay ahead of today’s adversaries.
This week, CrowdStrike® released its annual threat report – the “2018 Global Threat Report: Blurring the Lines Between Statecraft and Tradecraft.” It includes information based on thousands of hours of investigation and analysis into threats and attacks by CrowdStrike security experts. The findings described in this report offer critical information that can help organizations be better prepared for the threat actors and their tactics, techniques and procedures (TTPs) that impacted victims in 2017 and are likely to continue in the months ahead.
It’s no surprise that during the past year, stolen and vulnerable data proved to be valuable weapons for adversaries of every stripe, spanning across all geographies, affiliations and motivations. Data extortion, data ransom and outright theft have affected both large and small organizations throughout the world. The following describes five key trends identified in this report that reflect important shifts in the threat landscape that organizations faced last year and which will likely continue to challenge all industries in 2018. The five key trends include:
1. Blurred Lines
The blurring of lines referenced in the title of the report manifested in various ways during the past year. In many cases, less technically adept actors “upped their game” by employing TTPs characteristic of more sophisticated adversaries. In other instances, state-affiliated actors known for their highly evolved targeted intrusion TTPs took a page from lower-echelon eCrime adversaries, with WannaCry and NotPetya attacks emerging as nation-state-sponsored attempts at ransomware. CrowdStrike Falcon Intelligence™ and other organizations linked the malware and TTPs in those operations to the Democratic People’s Republic of Korea (DPKR) and Russia, respectively. Although the repurposing of criminal malware is not a new phenomenon (particularly for Russian adversaries), this is a notable trend considering ransomware’s rapid growth in 2016 and 2017, suggesting targeted intrusion adversaries are taking note of what is successful in the eCrime marketplace.
2. Undetected Malware and “Breakout Time”
An interesting trend observed during the past year was an increase in malware-based over malware-free attacks. However, a more sobering finding was that 39 percent of all incidents in 2017 involved malicious software that went undetected by traditional antivirus, leaving organizations that relied on these legacy solutions vulnerable to the threats – and demonstrating a growing need for next-generation endpoint protection capabilities.
According to incidents CrowdStrike investigated, the average “breakout time” in 2017 was one hour and 58 minutes. Breakout time indicates how long it takes for an intruder to jump off the initial system (“beachhead”) they have compromised and move laterally to other machines within the network. This statistic shows how much time defenders have on average to detect an initial intrusion, investigate it and eject the attacker from the network, before sensitive data can be stolen or destroyed.
3. Expanding Exploits
Exploits continue to proliferate across the threat landscape, as was observed in the rapid spread of CVE-2017-0199 and other threats. Actor-agnostic TTP trends also showed a rise in the use of commodity tools and penetration-testing software, as occurred with the Cobalt Strike penetration tool. Supply chain attacks incorporating poisoned software update packages were also on the rise. This malware dissemination technique was notably used in the NotPetya campaign in late June 2017, but it was observed throughout the year from eCrime and targeted intrusion adversaries. Underlying all of these TTP trends is an overall effort to avoid attribution, blend in with the crowd and otherwise challenge the computer network defender.
4. Score One For The Good Guys
The coordinated multi-agency takedowns of major eCrime actors and networks during 2017 helped balance the scales and disrupt operations of profit-driven cybercrime groups. Given the tenacity and anonymity that surrounds many cybercriminals, law enforcement actions such as takedowns, arrests, and the sentencing of individuals who are involved in cybercrime are major successes for law enforcement agencies. These actions often temporarily splinter the criminal community, as actors examine their operational security and look for alternative methods for committing their crimes.
While government, healthcare and financial organizations remained among the most preferred prey of eCrime and targeted intrusion actors, the hospitality sector emerged in the past year as a growing target for criminals and, in a more unsettling turn, for nation-state adversary groups, as well. International hotel chains, in particular, offer ripe picking for financial crimes, from stealing identities to pilfering credit card numbers via point-of-sale transactions. State-affiliated adversaries have also developed a deep interest in the lodging sector, whether for tracking persons of interest while they are traveling, or to enable access to these potential victims when they use electronic devices outside the confines of protected networks.
Learn more of the compelling findings in this year’s report:
Access a CrowdStrike webcast for an in-depth analysis of the 2018 Global Threat Report.