Another turbulent year for cybersecurity finds itself right at home alongside global economic headwinds and geopolitical tensions. This year has been defined by rampant affiliate activity, a seemingly endless stream of new vulnerabilities and exploits, and the widespread abuse of valid credentials. These circumstances have conspired to drive a 50% increase in interactive intrusion activity tracked by CrowdStrike Falcon® OverWatch™ threat hunters this year.

The CrowdStrike 2022 Falcon OverWatch Threat Hunting Report examines the trends that dominated the past year, digs deeper into novel and interesting examples of adversary tradecraft, and looks ahead at how and where threats are evolving. 

Defenders can share in the insights derived from the global OverWatch threat hunting program. In this past year alone, OverWatch threat hunters directly identified more than 77,000 potential intrusions, or approximately one potential intrusion every seven minutes. This extensive visibility at the cutting edge of interactive intrusion activity provides an unparalleled look at how adversary tradecraft and tooling are being used today — empowering defenders to stay ahead of the adversaries tomorrow. 

What You’ll Find in This Year’s Report

• A look at some of the vulnerabilities that made headlines, and evidence of how focusing on patterns of post-exploitation activity provides both proactive and comprehensive coverage against known and unknown vulnerabilities.
• An exploration of the diversification of affiliate tradecraft, including a comparison of four distinct intrusions all leveraging the Lockbit ransomware-as-a-service model.
• Insights into adversary tooling with a look at what is trending and what is emerging.
• An intrusion deep dive that examines a targeted PANDA intrusion against an organization in the technology industry.
• A look at escalating eCrime threats targeting the healthcare sector and recommended action items for defenders.
• Details of the re-emergence of ISO files in phishing campaigns as internet-enabled macros begin to be disabled.
• A look at cloud-based threats, as well as adversaries’ ability to confidently navigate cloud-based assets to advance their intrusions.

In addition to unearthing a record number of interactive intrusions over the course of this year, OverWatch’s research has fed the continual improvement of the CrowdStrike Falcon®^® platform. The insights drawn from OverWatch’s hunting and deep familiarity with adversary tradecraft have been distilled into hundreds of new behavioral-based preventions, resulting in the direct prevention of over 1 million malicious events by the Falcon platform. OverWatch also closed out this year’s reporting period with five new patents to its name — a recognition of the innovative tooling and technologies that enable hunters to pinpoint adversary activity with speed and at scale.  Finally, OverWatch has introduced Falcon OverWatch Cloud Threat Hunting™, taking the fight to the adversary amid growing evidence that adversaries are actively going after cloud workloads.

In the face of both emerging and enduring threats, OverWatch has continued to raise the bar of what it means to conduct truly proactive human-driven threat hunting operations. 

Download the report. 

Additional Resources

• Learn more about hands-on-keyboard threats and the power of human-led threat hunting at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
• Tune in to Twitter Spaces on September 19 at 11:30 a.m. PT / 2:30 p.m. ET to hear from experts live at Fal.Con 2022 as they highlight key takeaways from the report. Listen live here. 
• Adversaries never take a break — and neither does the Falcon OverWatch threat hunting team. Join them for a LIVE CrowdCast on October 6 at 11 a.m. PT / 2 p.m. ET as they share new attack trends and tradecrafts from the new report. Register here.  
• Read the press release announcing the new 2022 Falcon OverWatch Threat Hunting Report.
• Learn more about the CrowdStrike Falcon® platform by visiting the product webpage.
• Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.