New Report: Falcon OverWatch Threat Hunting Leaves Adversaries with Nowhere to Hide

CrowdStrike OverWatch report banner

CrowdStrike® Falcon OverWatch™ has released its new report, 2020 Threat Hunting Report: Insights from the CrowdStrike Falcon® OverWatch Team. Now in its third year, this report continues to pull back the curtain on the daily battle being waged between Falcon OverWatch’s industry-leading threat hunting team and today’s highly motivated adversaries. 

Armed with cloud-scale telemetry of over 3 trillion endpoint events collected per week, and detailed tradecraft on 140 adversary groups, OverWatch has the unparalleled ability to see and stop the most sophisticated threats, leaving adversaries with nowhere to hide.

Introducing the OverWatch SEARCH Methodology

white type on black background

Click image to enlarge

Today’s adversaries are hyper-aware of the modern security controls put in place to stop them. Our threat hunters have a front-row seat to observe how adversaries evolve and test their tradecraft against automated detection solutions. This informs how the team works to outpace and outsmart the adversary.

For the first time, this report reveals OverWatch SEARCH. This is the proprietary methodology that our hunters use to methodically sift through a world of unknown unknowns to find the faintest traces of malicious activity and deliver actionable analysis to CrowdStrike customers in near real time. Defenders can see how threat hunters follow the six-step cycle of “Sense, Enrich, Analyze, Reconstruct, Communicate and Hone” to uncover adversary activity wherever it is hidden.

2020 Interactive Intrusion Trends

It has been a busy year for threat hunters, with adversaries expanding both the volume and the reach of their activities. The number of campaigns uncovered by OverWatch in just the first six months of the year surpassed what was seen throughout all of 2019. Adversaries were also observed in a wider range of industry verticals. 

Much of this growth has been driven by eCrime activity. 2020 has created conditions for opportunistic cyber crime to proliferate, accelerating from an already prolonged period of growth. In particular, the rapid adoption of remote work and the accelerated set-up of new infrastructure by many companies contributed to an increased attack surface. Meanwhile, social engineering schemes have leveraged the uncertainty and fear created by the COVID-19 pandemic.

This report will take you through the industries, regions, and adversary tactics, techniques and procedures that have been on the OverWatch team’s radar this year.

Follow the Hunt

The intrusion stories are, as always, the heart of this annual threat hunting report. Take the time to follow the hunt and see how OverWatch analysts uncover and reconstruct adversaries’ activities and motivations within victim environments. The stories highlight the breadth of threats that exist in the wild today while also providing insight into how these threats were uncovered. The report also shares tips on how to safeguard your environment from similar attacks. Here are two intrusion story highlights from this year’s report.

LABYRINTH CHOLLIMA Launches Attack Over Social Media

illustration of timeline with red circles

In this intrusion report from OverWatch threat hunters, you will see how a motivated adversary leveraged multiple social media platforms to compromise a victim and gain access to their target environment. Threat hunting proved crucial in quickly identifying the unusual commands that followed, and equipping the victim organization to take defensive action.

Backdoored SSH Service Exposes Technology Company

In the technology industry, an intrusion that appeared to start as an opportunistic attack quickly evolved into something much stealthier and more deliberate. The report describes the lengths to which one adversary went to try to install a backdoored SSH service in a technology company’s environment without detection. The activities that followed indicated the adversary had every intention of achieving persistence and returning to conduct further activity on the host — plans that were ultimately thwarted by OverWatch.

How to Safeguard Your Organization

In the first six months of 2020, OverWatch saw interactive cyber intrusions on an unprecedented scale. These hands-on-keyboard attacks attempt to blend into normal traffic patterns to evade automated detection. This report shows how vigilant threat hunting leaves adversaries with nowhere to hide.

At the same time, security hygiene still matters, and it is crucial that all organizations start with a strong and proactive security posture. Worryingly, compromised credentials, internet-exposed applications and unpatched vulnerabilities continue to be found at the scene of the crime. Getting these basics right matters when it comes to protecting your environment. 

Finally, to stay ahead of the adversaries, it is crucial that defenders are aware of the most current adversary tradecraft and intrusion trends. For a deep dive into the threats that your organization could be facing now, and in the coming months, download 2020 Threat Hunting Report: Insights from the CrowdStrike Falcon® OverWatch Team.

Additional Resources

Related Content