CrowdStrike Releases Casebook on Cyber Intrusion Trends and Attack Techniques Employed By Advanced Adversaries
- CrowdStrike Cyber Intrusion Services Casebook provides lessons learned and corporate intrusion trends, based on a comprehensive review of incident response investigations conducted over the past three years;
- Organizations are faced with defending against multiple concurrent attacks with reinfection attempts starting immediately following intrusion discovery;
- Adversaries go after the most critical credentials and aim to execute enterprise and domain credential theft to avoid detection;
Irvine, CA – November 3, 2015 – CrowdStrike Inc., provider of the first true Software-as-a- Service (SaaS) based next-generation endpoint protection platform, today released its first CrowdStrike Cyber Intrusion Services Casebook offering key takeaways on emerging trends in cyber intrusions and notable adversary tactics, techniques, and procedures (TTPs). The data has been collected and analyzed, based on a comprehensive review of incident response investigations conducted over the past three years on behalf of organizations across various industries.
“Defending against complex and constantly evolving attacks from sophisticated and well-resourced adversaries requires the execution of incident response strategies that are continuously evolving and more deeply vigilant than ever before,” said Shawn Henry, President of CrowdStrike Services. “As adversaries continue to adapt to evade conventional defenses, CrowdStrike is committed to equipping customers with the detection, prevention, and investigation capabilities and expertise they need to limit their exposure and vulnerability to attacks. Preparation is the most significant aspect to lowering business risk.”
Highlights and key findings:
- Operating under Attack is the New Normal. Nearly all affected organizations experienced almost immediate reinfection attempts. On average, adversaries engage in aggressive infection reattempt efforts within two days of remediation efforts.
- Organizations Need to Defend Against Multiple Concurrent Attackers. In a quarter of the examined cases, CrowdStrike identified multiple distinct adversary teams operating in the victim environment. Defending against multiple adversaries carrying out concurrent attacks within an enterprise environment requires development of advanced surveillance capabilities and an ongoing, evolving understanding of attacker tradecraft, motivations and tool sets.
- Self-Detection Is Gaining with 57% of Organizations Discovering Breaches Internally. CrowdStrike has seen a marked increase in the number of organizations self-detecting breaches, far above what has been previously reported. We attribute this to two factors: organizational maturity and improved endpoint and network detection technology.
- Compromised Accounts Used Sparingly, Making Detection More Difficult. Adversaries are leveraging stealthier, often malware-free intrusion tactics and are becoming more cautious about account usage to remain unnoticed for as long as possible.
- Credentials are a Critical Tactic. The most common goal of attackers upon initial entry into the network is to secure domain and enterprise credentials to maximize chances of staying unnoticed and moving laterally across the environment.
- Experienced Staff and Mature Processes Are Defining Factors of A Rapid Breach Recovery. The review of CrowdStrike investigations found wide variation in the duration of investigations. The biggest factors determining the length and breadth of engagements revolved around the maturity of processes and people responsible for security, visibility, and response activities at the enterprise site. Established relationships with external service providers and internal stakeholders such as IT, Legal, and Operations also are precursors to success.
“Organizations need to stay cognizant of emerging trends and changing adversary tactics to effectively detect breaches and minimize the impact that cyber attacks have on the integrity and safety of their assets,” said Wendi Whitmore, Vice President of CrowdStrike Services. “Today, staying ahead of the adversary requires implementation of advanced detection capabilities and an ongoing, evolving understanding of attacker tradecraft, motivations and toolsets.”
To download the full CrowdStrike Cyber Intrusion Services Casebook, please click here.
CrowdStrike™ is a leading provider of next-generation endpoint protection, threat intelligence, and pre- and post-incident response services. CrowdStrike Falcon® is the first true Software-as-a-Service (SaaS) based platform for next-generation endpoint protection that detects, prevents, and responds to attacks, at any stage—even malware-free intrusions.
About CrowdStrike Services
CrowdStrike Services equips organizations with the protection they need to defend against and respond to security incidents.
Leveraging CrowdStrike’s world-class threat intelligence and next-generation endpoint protection platform, the CrowdStrike incident response team helps customers around the world identify, track and block attackers in near-real time. This unique approach allows CrowdStrike to curtail unauthorized access faster, so our customers can resume normal operations sooner. CrowdStrike’s Incident Response Consultants also offer proactive services to improve organizations’ ability to anticipate threats, prepare your network, and ultimately prevent damage from cyber attacks.