CrowdStrike has unveiled its latest edition of the Threat Hunting Report for 2023, shedding light on prevailing attack patterns and adversary strategies witnessed by the skilled threat hunters and intelligence analysts at CrowdStrike. This sixth annual report exposes a significant upsurge in identity-focused breaches, a growing adeptness among adversaries targeting cloud environments, a tripling in the usage of legitimate remote monitoring and management (RMM) tools by adversaries, and an unprecedented reduction in the time adversaries take to breach defenses.
Spanning the period from July 2022 to June 2023, this report marks the inaugural publication by CrowdStrike’s newly introduced Counter Adversary Operations team, an announcement that was formally made at Black Hat USA 2023.
– A remarkable 583% increase in Kerberoasting identity attacks, underscoring a substantial escalation in identity-driven breaches. The report discloses a nearly sixfold year-over-year surge in Kerberoasting attacks, a method that adversaries exploit to gain valid credentials for Microsoft Active Directory service accounts. This frequently grants attackers elevated privileges and enables them to persist undetected in victim networks for extended durations. Notably, 62% of all interactive breaches involved the manipulation of valid accounts. Moreover, there was a 160% rise in efforts to acquire secret keys and other credentials via cloud instance metadata APIs.
– A 312% YoY escalation in adversaries leveraging legitimate RMM tools. This observation reinforces findings from CISA and highlights a mounting trend where adversaries are increasingly capitalizing on well-known remote IT management applications to avert detection. This strategy allows them to blend into the normal activities of an enterprise, facilitating access to sensitive data, executing ransomware attacks, or deploying tailored subsequent tactics.
– Adversary breakout time hitting a historic low of 79 minutes. The average period taken by adversaries to move laterally from their initial compromise to other systems within the victim’s environment has decreased from the previous record of 84 minutes in 2022, setting a new benchmark at 79 minutes in 2023. Impressively, the fastest breakout time recorded during the year was a mere seven minutes.
– The financial sector witnessing an astounding 80% YoY rise in interactive breaches. Defined as intrusions involving direct hands-on keyboard activity, interactive breaches saw an overall uptick of 40%.
– A 147% surge in Access Broker advertisements within criminal or underground communities. This proliferation of easily obtainable valid accounts diminishes the barrier to entry for cybercriminals seeking to carry out illicit operations. Established adversaries also leverage this availability to refine their post-exploitation techniques, thereby enhancing the efficiency of their objectives.
– A threefold increase in adversary utilization of the Linux privilege-escalation tool for exploiting cloud environments. CrowdStrike detected a notable rise in the adoption of the Linux tool linPEAS by adversaries. This tool facilitates access to metadata within cloud environments, network attributes, and various credentials, which are then exploited to advance their attacks.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, emphasized, “In our monitoring of over 215 adversaries in the past year, we have observed a threat landscape that has evolved in complexity and depth as threat actors shift towards novel tactics and platforms. This includes the manipulation of valid credentials to exploit vulnerabilities in software and cloud infrastructures. When we address breach prevention, it’s crucial to acknowledge the undeniable reality that adversaries are becoming faster and are employing deliberate tactics to evade conventional detection methods. Security leaders must challenge their teams to possess the requisite solutions to halt lateral movement by adversaries within a mere seven-minute timeframe.”
