Intelligence in Tech Dives
CRWD Report 2024 V3

Adaptability and Perseverance – Breaking Down CrowdStrike’s Perspective on the 2024 Global Threat Landscape

By Daniela Villalobos + Mitchel Sykes
Posted on Mar 05 / 2024

As cyberwarfare continues to evolve, the landscape of cyberattacks grows increasingly complex. Identifying these trends is essential for organizations seeking to strengthen their defenses and stay one step ahead of emerging threats. Echelon is proud to be a strategic services partner with CrowdStrike globally. We use the Falcon platform for our tech-enabled services, as well as leverages the threat intelligence CrowdStrike provides to help prevent breaches.

About the CrowdStrike 2024 Global Threat Report

Our team follows CrowdStrike’s annual Global Threat Report for awareness of the global perspectives regarding cybersecurity trends. Based on the firsthand observations of the CrowdStrike Intelligence and Falcon OverWatch threat hunting teams, this report outlines the biggest threats organizations have faced in the previous year, and how the threat landscape will develop into the new year.

As we move through 2024, we need these strategic perspectives to help us guide a cybersecurity program attuned to real risks. This year’s report provides crucial insights into what security teams need to know and do in an increasingly ominous threat landscape.

This article summarizes key takeaways from the report, provides a breakdown of the top five 2023 themes, and gives our take on some recommendations for staying ahead in 2024 and beyond.

Threat Landscape Overview – Key Takeaways

Understanding the current cybersecurity landscape and evolving adversary threats is critical to preventing breaches and keeping ahead of the adversaries. The report explains how threat activity is increasing and identifies which threat vectors are more frequently leveraged.

As migration into the cloud continues, adversaries have continued to become more cloud-conscious.

According to the report, in 2023 there was a 110% increase of cloud-conscious cases, as well as a 75% increase of intrusions into cloud environments as compared to 2022 numbers.

The trend of adversaries using interactive instruction technique attacks continued into 2023.

Threat actors are conducting campaigns with more hands-on keyboard actions compared to automated tools and approaches. CrowdStrike Intelligence noticed a 60% increase in interactive intrusion campaigns compared to 2022. Additionally, they noted a 73% increase in the second half of 2023 compared to 2022. The most targeted industries for these attacks were technology, telecommunications, and finance.

The average time for adversaries to move laterally from the first compromised host to other hosts declined significantly in 2023.

According to the report, the average time for lateral movement during interactive instruction activity decreased from 84 minutes in 2022 down to 62 minutes in 2023. The shortest time CrowdStrike observed was only 2 minutes and 7 seconds.

Access broker advertisements continued to rise in 2023.

CrowdStrike Intelligence found that the number of accesses being advertised increased by almost 20% compared to 2022. CrowdStrike observed a total of 2,992 access broker advertisements in 2023.

Themes of Advanced Persistent Threats

CrowdStrike notes some clear trends for this year. While some of them persist from previous years, new threats emerge during the current global context. The report highlights the trends of the actions taken by adversaries, and what their primary targets were.

#1

CrowdStrike recorded a 583% increase in Kerberoasting attacks in 2023.

There has been a significant rise in identity-based and social engineering attacks targeting sensitive information like API keys, session cookies, and one-time passwords (OTPs). Adversaries exploit these to gain unauthorized access, bypassing MFA safeguards. Notably, COZY BEAR has conducted sophisticated phishing campaigns via Microsoft Teams, manipulating users into providing MFA tokens for Microsoft 365 accounts.

#2

Adversaries continue to develop cloud-consciousness.

Defined as threat actors who are aware of the ability to compromise cloud workloads to abuse features, cloud-conscious attacks observed by CrowdStrike rose by 110% on 2023. To gain initial access, adversaries often exploit valid credentials, as seen in instances where INDRIK SPIDER accessed Azure Key Vault credentials.

#3

Third-party relationship exploitation is emerging as a significant threat vector.

Threat actors take advantage of vendor-client relationships to deploy malicious tooling via two key techniques: compromising the software supply chain using trusted software to spread malicious tooling and leveraging access to vendor supplying IT services. The motivation is simple – potential return on investment, since one compromised organization can lead to hundreds or thousands of follow-on targets. In 2023, nearly every trusted-relationship compromise originated as part of an intrusion at a technology sector organization that provides commercial software.

#4

Under-the-radar exploitation tactics have evolved in response to increased popularity of traditional endpoint detection and response (EDR) sensors.

Threat actors have shifted their focus to the network periphery, where the visibility of EDR tools is reduced due to the absence or inability to support a sensor on those endpoints. Throughout 2023, unmanaged network devices remained a prevalent initial access vector for exploitation. These devices, often based on obsolete architectures, are vulnerable to widely exploited vulnerabilities in platforms from major providers such as Cisco, Citrix and F5. Additionally, products that have reached end-of-life (EOL) have become targets for exploit development, as they cannot be patched and are incompatible with modern sensor deployment.

#5

Generative AI use lowers the entry barrier to threat landscape for less sophisticated threat actors.

AI’s rapid expansion in late 2022 has opened new possibilities for threat actors. In February 2023, INDRIK SPIDER was implicated in an incident involving BITWISE SPIDER’s LockBit RED ransomware. During the investigation, it was discovered that INDRIK SPIDER used search engines and visited ChatGPT to understand how to exfiltrate Azure Key Vault credentials, suggesting the use of generative AI to close knowledge gaps despite their relative newness to cloud environments.

#6

Israel-Hamas Conflict: Cyber Operations focus on disruption and influence.

Their main target has been operational technology and critical systems. Since the onset of the conflict, internet connectivity in the Gaza Strip has been significantly degraded almost certainly due to a combination of kinetic activity, power outages and distributed denial-of-service (DDoS) attacks. Most conflict-driven cyber operations observed involve a combination of hacktivist activity and operations orchestrated by suspected faketivists.

Understanding Adversarial Tactics – Disclosing Their Strategies and Goals

Last year, CrowdStrike detected 34 new APTs, bringing the total up to 232. Motives are clear but the methods are diverse. The report highlights the actions and primary targets of these adversarial groups, shedding light on who your organization might be facing and why.

Nation-state actors have become increasingly sophisticated.

They use social engineering to exploit identity-based vulnerabilities, bypassing multifactor authentication (MFA) to access cloud environments. Their goal is unmistakable: gather strategic intelligence, intellectual property, and personal data in order to gain an advantage over the targeted nation.

eCrime groups have witnessed a notable surge.

Driven by their relentless pursuit of monetization through different means such as ransomware deployment, data-theft extortion, and access brokers. The primary targets for these groups are cloud environments where they exploit APIs, secrets, and policies that are native to cloud infrastrucutre. To move laterally and gain access, eCrime groups frequently rely on a combination of valid credentials, social engineering techniques and unmanaged vulnerabilities.

Hacktivist activity has seen a notable increase due to arising conflicts.

Marked by their strategic targeting of critical infrastructure, media outlets, and government entities, their aim is to cause disruption, exert influence, or inflict damage in support of various political or social causes.

Emergence of Faketivists due to arising conflicts.

Faketivism denotes the actions of entities presenting themselves as hacktivist groups but are more likely fronts for governmental or professional entities. To create an illusion of authenticity, they often adopt the imaginary, rhetoric, tactics and occasionally the names of established hacktivist groups.

Ways to Stay Ahead in 2024

In 2023 the threat landscape changed in many ways and will continue to evolve. Additionally, it showed a continuation of trends from 2022. Here are some ways you can protect your organization against threats and adversary actions.

Identity Protection is a Necessity.

Identity-based and social engineering attacks continue to increase due to the high success rate of such attacks. It is crucial to implement and enforce secure and phishing-resistant multifactor authentication (MFA) methods. Adversaries will commonly attempt to access accounts using legacy authentication protocols to avoid MFA. This makes it necessary to ensure MFA is extended to legacy systems and protocols. Prioritize the decommissioning of legacy protocols and systems. To combat other advanced MFA bypass and access methods, consider implementing a tool or technology that can offer cross-domain visibility and continuous monitoring for unusual and malicious behavior.

Increase Focus on Protecting Cloud Workloads and Applications.

The continued adoption of cloud-based solutions - and the attacks leveraged against them - has rapidly increased. Having full visibility into your cloud environments, including APIs and applications, helps identify and eliminate misconfigurations, vulnerabilities, and other security threats. Many default configurations in cloud platforms are not best practices nor secure enough for production workloads.

Ensure visibility across critical areas of enterprise risk.

Adversaries often use legitimate credentials when accessing environments, making it very difficult for security teams to differentiate nefarious activity from that of a normal user. Relying on multiple disparate security tools creates gaps in visibility. Consolidate tools into a single platform to increase security team efficiency when responding to incidents.

Promote a Cybersecurity Culture.

With the continual rise of malware-free and identity-based attacks, the need for user education on phishing and social engineering techniques has never been more critical. The most skilled security team with the most advanced toolset could be thwarted by an adversary convincing a user to fall for a social engineering scheme. For security teams it is critical that they routinely undergo tabletop exercises and red/blue teaming to assist in identifying gaps and weaknesses within the environment.

The Bottom Line

The cybersecurity threat landscape is constantly evolving. The themes outlined here represent the most common and public adversary activity of 2023, but attack paths continue to be highly diverse.

Organizations should consider how they prioritize identity protection, securing cloud assets, ensuring visibility, and promoting a security minded culture to keep up with the constant change.

At Echelon, we are fortunate to partner with CrowdStrike as we leverage their tools and threat intelligence to prevent breaches. Our team regularly uses their threat intelligence along with our own research and testing to gain crucial insights into the global threat landscape to better protect our clients. We hope that our summary on the latest threat intelligence will help you mature your cyber program to keep up with the evolving threats.

If you want to know more, please use the link below to view and download the full CrowdStrike 2024 Global Threat Report to learn more. Read and download the full CrowdStrike report here.

CRWD Global Threat Report 2024
Click to download the full CrowdStrike report.

Elevating Cybersecurity Together: Explore the Strength of Echelon and CrowdStrike Partnership

As we conclude our exploration of the 2024 Global Threat Landscape, we're proud to highlight our robust collaboration with CrowdStrike. Echelon, as a strategic partner, offers clients a powerful cybersecurity solution integrating advanced threat detection seamlessly with CrowdStrike's endpoint protection.

Our joint capabilities go beyond transactions, showcasing a commitment to mutual success and continuous enhancement. Together, Echelon Risk + Cyber and CrowdStrike redefine cybersecurity standards with efficient collaboration, proven security solutions, and tailored services.

Discover how our combined expertise strengthens your resilience against evolving cyber threats.

Echelon CROWD LOGOS 2
Sign up to get Cyber Intelligence Weekly in your inbox.
Latest Intelligence