Identity Threat Hunting: How CrowdStrike Counter Adversary Operations Is Leading the Charge

CrowdStrike’s identity threat hunting capability brings together industry-leading expertise and modern technology to stop identity-focused attacks. Here’s how.

December 11, 2023

Identity Protection

It’s 10:30 p.m. and you’re heading to bed. Unfortunately, a threat actor has your organization in their crosshairs. While you’re brushing your teeth, they’re crafting a social engineering email to pilfer your employees’ credentials. While you’re putting on your pajamas, they’re finding a path to log in. While you’re asleep, is your organization protected?

The identity threat hunting capability from CrowdStrike Counter Adversary Operations provides 24/7 managed identity threat hunting from CrowdStrike security experts. This first-of-its-kind capability brings together CrowdStrike’s market-leading intelligence on adversary tactics, techniques and procedures (TTPs) — along with CrowdStrike Falcon® Identity Protection and CrowdStrike’s elite threat hunters — to thwart the latest identity-based threats.

Available as the first offering of CrowdStrike Counter Adversary Operations, the identity threat hunting capability is immediately available at no additional cost to customers of Falcon Identity Protection and either CrowdStrike® Falcon OverWatch™ Elite or CrowdStrike Falcon® Counter Adversary Operations Elite.

At a time when identity threats are top of mind for IT and security teams across industries, this level of protection is essential. 

Addressing the Identity Problem

Adversaries are escalating their abuse of identities to stealthily enter corporate environments and hide in plain sight. As highlighted in the CrowdStrike 2023 Threat Hunting Report:

  • 62% of interactive intrusions involved the abuse of valid accounts 
  • 200% increase in intrusions featuring pass-the-hash techniques 
  • 147% increase in access broker advertisements
  • 160% increase in attempts to gather credential information via cloud metadata APIs 
  • 583% increase in Kerberoasting attacks 
  • 24% of interactive intrusions that originated from an unmanaged host 

With identity threat hunting from CrowdStrike, organizations receive around-the-clock protection against these and other identity-based attacks. 

Watch the Fal.Con 2023 on-demand session, “Identity Threat Hunting: How CrowdStrike Falcon OverWatch Elite Is Leading the Charge.”

Identity threat hunting is made possible by CrowdStrike’s unique visibility into identity telemetry generated by Falcon Identity Protection. With this data, CrowdStrike’s threat hunters can see into both managed and unmanaged hosts, allowing us to identify any adversary performing domain reconnaissance and attempting to gather additional credentials in preparation for lateral movement — all while the adversary hasn’t moved off the network device.

Three Examples of Identity Threat Hunting in Practice

CrowdStrike threat hunters have long successfully used identity telemetry to detect otherwise unmitigated threats for a number of CrowdStrike customers. Here are three examples. 

Example 1: Protecting Against SCATTERED SPIDER

SCATTERED SPIDER is an eCrime adversary that conducts targeted social engineering campaigns, primarily using phishing pages to capture authentication credentials. This adversary has been known to impersonate employees with cybersecurity responsibilities in an attempt to obtain a password reset of the target user’s account through the company’s help desk. 

One consistent TTP CrowdStrike sees from SCATTERED SPIDER is the creation of new user accounts using the net user command. While this command is common for reconnaissance, it can also be used to create new users on a system. This is one of many leads that CrowdStrike threat hunters are relentlessly hunting for to find adversary activity. 

By combining the rich telemetry from Falcon Identity Protection and the powerful CrowdStrike event search platform, threat hunters can quickly group recent account creation and authentication events by the target username — uncovering accounts that were created and authenticated to within a short time frame to expose potential identity threats.

Example 2: Protecting Against MANGLED SPIDER

MANGLED SPIDER is a big game hunting adversary CrowdStrike has been tracking since August 2021. MANGLED SPIDER develops and maintains the BlackByte ransomware, along with their own dedicated leak site.

At one company, MANGLED SPIDER was able to gain a foothold within a network on an unmanaged host. The adversary made repeated failed logins to an administrator account along with 100+ user accounts. MANGLED SPIDER was then observed running SecretsDump from the Impacket suite and attempting a Kerberoasting attack. Valid credentials were subsequently used to connect to an internal host where the adversary was observed performing light reconnaissance and replicating domains (DCSync). Another host was then connected using valid credentials, at which point an AnyDesk binary was written along with a batch file to install the binary.

Throughout this attack, CrowdStrike threat hunters were able to closely track the adversary and provide play-by-play visibility to the customer — even when the adversary was operating from an unmanaged host. Falcon Identity Protection telemetry was critical in stopping this attack.

Example 3: Protecting Against Unidentified Adversaries

In this final example, one adversary was able to gain a foothold in a network by exploiting a newly disclosed critical vulnerability in an internet-exposed network device. Given the nature of this device, there was no endpoint agent support or endpoint logs to fall back on.

The first sign something was amiss was when CrowdStrike threat hunters identified unusual authentication activity originating from the network device. Because the customer had deployed Falcon Identity Protection, this activity was surfaced despite the lack of a sensor on the host where the activity originated. Shortly after, a number of suspicious LDAP queries were observed, including SPN enumeration and domain security and domain group enumeration. 

In this case, CrowdStrike threat hunters promptly identified and reported the malicious activity to the customer. And because it was a critical severity finding, the customer was notified by phone with detailed information about the detection, including the timeline and source. As a result, the customer was able to stop the breach.

Protection that Doesn’t Sleep

In response to the growing popularity of identity-based attacks and the increasing sophistication of adversary tradecraft, the identity threat hunting capability makes it possible to quickly identify and remediate compromised credentials, track lateral movement and outpace adversaries with 24/7 coverage.

Additional Resources

Related Content