2022 Falcon OverWatch
Threat Hunting Report
Intrusions intensify, complexity escalates
Intrusions intensify, complexity escalates
2022 continues to demonstrate that proactive human-led threat hunting is no longer an option but a necessity to detect and disrupt advanced attacks and keep evolving adversaries at bay.
In this exclusive report, the CrowdStrike® Falcon OverWatch™ threat hunting team provides a look into the adversary tradecraft and tooling they observed from July 1, 2021 to June 30, 2022. The report also includes actionable tips for organizations and threat hunters to get ahead and stay ahead of today's stealthiest, most sophisticated cyber threats.
The data speaks for itself
77,000
Potential intrusions stopped by OverWatch
7 minutes
Average time potential intrusions were uncovered by OverWatch
1+ million
Malicious events prevented
50%
Increase in interactive intrusions
71%
Of threats detected by OverWatch were malware-free
1 hour 24 minutes
Average eCrime breakout time
Key highlights
CVEs, zero-days and beyond
The proliferation of newly disclosed vulnerabilities and zero-days is putting organizations at unprecedented risk. Threat actors are weaponizing these vulnerabilities at speeds faster than ever before. This leaves little reaction time for targeted organizations. Learn why a proactive approach to threat hunting will be crucial to staying ahead of increasing risks, and how organizations can get there.
Same ransomware, unique tradecraft
Lucrative ransomware-as-a-service (RaaS) models are a big driver of eCrime intrusion activity. A vast array of affiliates are capitalizing on the availability of RaaS offerings, employing diverse patterns of adversary tradecraft. In the report, the OverWatch team shares four case studies illustrating some of the different approaches observed in RaaS affiliate intrusions.
Tradecraft deep dive: emerging, trending and mainstay tools
Despite the prevalence of malware-free attacks, OverWatch continues to observe adversaries employing a diverse range of tooling in their attacks. This report dives in and analyzes the emerging, trending and mainstay tools and tradecraft in depth — highlighting capabilities and tactics that rose to the forefront and novel methods previously unseen in the wild.
Identities are under siege
Over the last 12 months, OverWatch observed significant abuse of valid and compromised credentials. Identity-based techniques surfaced to the top of six tactics of the MITRE ATT&CK® Framework: Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access and Discovery. Learn what your organization can do to keep your identities safe.
Phishing: out with macros, in with ISO
Adversaries immediately began to shift phishing tactics when Microsoft announced earlier this year that VBA macros — a tried-and-true malware delivery tactic — would be disabled by default across its Office product line. Rather than move away from phishing campaigns altogether, OverWatch observed attackers adopt alternative tooling, replacing malware-laden macros with similarly compromised container files, such as ISO, ZIP and RARs, among others. Read the report for detailed case studies examining this tactic and hunting strategies to identify ISO phishing attempts.
Adversaries take to the cloud
Intrusion activity in cloud applications and infrastructure is on the rise. In this report, OverWatch details two cloud-based attacks to illustrate how adversaries operate in cloud environments and weaponize key components at different stages of their intrusion. The report also provides action items, guidance and considerations for defenders when evaluating their cloud environment. Falcon OverWatch Cloud Threat Hunting™ applies the same systematic and comprehensive hunting methodology while adding new tooling and telemetry for granular visibility down to the control plane.
Get the 2022 Falcon OverWatch Threat Hunting Report
Get the 2022 Falcon OverWatch Threat Hunting Report
Past editions of the Threat Hunting Report
