2020 Key Findings and Trends From Incident Response and Proactive Services

CrowdStrike Banner

The annual CrowdStrike Services Cyber Front Lines Report released this month shares statistics, trends and themes gleaned from a year’s worth of data and observations by our world-class incident responders and proactive services experts. This blog outlines some key findings and themes that prevailed across the 2020 global cyber landscape. Future blogs will delve more deeply into each theme.

Metrics Provide Insight

The CrowdStrike® Services team analyzed important data points collected from a wide variety of incident response (IR) engagements and proactive services activities over the 12 months prior. These metrics offer insight into the cyber threats that organizations had to contend with in 2020, and provide guidelines for how organizations can ensure optimal cybersecurity as we move into 2021. Key findings include:

  • The volume and velocity of financially motivated attacks are staggering. These attacks represented 63% of all of the CrowdStrike Services cases over the past year, with 81% of these financially motivated attacks involving the deployment of ransomware or a precursor of ransomware activities. 
  • Buying technology alone is not enough — configuration, coverage and management matters. In at least 30% of incident response engagements, CrowdStrike observed the organization’s antivirus solutions were either incorrectly configured with weak prevention settings or not fully deployed across the environment. This may have been a factor in a threat actor gaining and maintaining access.
  • Intrusions should not be thought of as a one-time event. The Services team looked at organizations that experienced an intrusion and then leveraged CrowdStrike to manage their endpoint protection and remediation efforts moving forward. CrowdStrike identified that 68% of those organizations experienced another intrusion attempt, which was prevented.
  • Shifting to continuous monitoring and incident response changes the game. Rather than thinking of intrusion response as a one-time emergency activity, mature organizations plan for real-time, continuous monitoring and incident response. The CrowdStrike Falcon Complete turnkey managed service reduced the average time to detect, investigate and remediate from a total of 162 hours — nearly seven days — to less than one hour for customers.
  • Outside counsel is playing a bigger role in the incident response process. Outside counsel retained CrowdStrike to advise its clients in 49% of the incidents investigated in 2020.

Themes That Dominated

CrowdStrike Services incident responders identified several themes in 2020 that organizations should be mindful of. Look for upcoming blogs that dig deeper into each one: 

  • Widespread remote work has broad-reaching effects on cybersecurity. Networks around the world were turned inside-out as office workers became remote workers, with dramatic effects on how attackers target organizations and how defenders must react.
  • Ransomware actors have learned new tricks. Not content with just encrypting data for extortion, eCrime actors are increasingly destroying and/or threatening to leak data, as they target ever larger ransom payments.
  • Cloud infrastructure requires special attention from defenders. The global pandemic accelerated digital transformation — including cloud adoption — for many organizations, and attackers took advantage of this attack surface. Defending the cloud requires additional planning and focus beyond traditional on-premises networks.
  • Weaknesses in public-facing applications and services are increasingly dangerous. CrowdStrike observed significant increases in attackers targeting public-facing applications and services in 2020. Defenders must continue to be vigilant to ensure no exterior gaps exist for an adversary to use as an initial foothold.
  • State-sponsored adversaries leave smaller footprints. While eCrime actors got most of the headlines in 2020, state-sponsored adversaries remained active across a wide range of sectors. Detecting and stopping these sophisticated intrusions require a well coordinated and holistic response.
  • Organizations focused on driving key security enhancements can stop the next breach. An intrusion can happen to any organization — how you respond and learn from prior incidents can make a significant difference on the impact of the next breach.

Organizations that heed the observations and recommendations in the Services report will see significant improvements in their ability to defend against many of the common types of attacks. CrowdStrike is here to help, providing highly skilled cybersecurity professionals who partner with clients to ensure that the adversaries are defeated and any damage is quickly remediated.

Additional Resources

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial