Intelligence in CISO's Corner

Adaptability and Perseverance – Breaking Down CrowdStrike’s Perspective on the 2022 Global Threat Landscape

The year 2021 brought about some serious challenges, from the continuation of the global pandemic to worldwide pockets of economic turmoil. Now the specter of war in Europe hangs over the world as we move into 2022.

This increased disruption has set the stage for the escalation of cyber threats globally.

About the CrowdStrike 2022 Global Threat Report

CrowdStrike’s annual Global Threat Report is an insightful piece of research that our team relies on to validate global perspectives regarding cybersecurity trends. Based on firsthand observations of the CrowdStrike Intelligence team and Falcon OverWatch threat hunting team, the report outlines the biggest threats organizations have faced in the previous year, and how the threat landscape will develop moving forward.

As we move through 2022, these perspectives can help guide a risk-attuned and smart cybersecurity program. This year’s full report provides crucial insights into what security teams need to know and do in an increasingly ominous threat landscape.

In this article, I'll summarize key takeaways from the report, provide a breakdown of the five 2021 themes, and give our take on seven recommendations to stay one step ahead on 2022.

Threat Landscape Overview – Key Takeaways

Understanding the modern cybersecurity landscape and evolving adversary tradecraft is critical to staying ahead of today’s threats and stopping breaches. This report highlights how fast the threat activity is increasing and shows no signs of slowing down.

Our key takeaways:

The threat landscape is ever evolving with ransomware ramping up. According to the report, CrowdStrike Intelligence observed an 82% increase in ransomware-related data leaks in 2021 over the previous year. Industrial and engineering being the highest targeted industry, so it’s never been more important to stay vigilant.

Adversaries have continued moving beyond malware towards living off the land. They leverage common services and tools native to the OS to aide in defense evasion. Of all detections indexed by the CrowdStrike Security Cloud in the fourth quarter of 2021, 62% were malware-free.

Five Themes of Advanced Persistent Threats

Threat actors are ramping up innovation on how they use identities and stolen credentials to bypass legacy defenses – all to reach their goal, which is your data. This year's report highlights the observed trends of modern nation state actors and how they used native tooling to gain and maintain their foothold.

  1. Wizard spider targets the engineering vertical. By leveragong two native utilities, BITSadmin and Rundll32, to download and execute their custom tooling, they were able to establish a foothold on a domain controller using a valid domain account. Command and Control was established by encoding outbound traffic over the DNS protocol.
  2. Iranian adversary groups target multiple organizations within the U.S., Israel, and the Greater Middle East. One particular group, Nemesis Kitten, used BitLocker to perform lock-and-leak operations using a unique ransomware variant called SunDawn. While they were persistent with their attempts to evade defenses and gain persistence, CrowdStrike’s Falcon Sensor blocked them at every turn.
  3. Chinese threat actors showed a 6X increase in their attempts to exploit vulnerabilities over the previous year. Microsoft Exchange was one of the prime targets with the adversaries leveraging vulnerabilities known as ProxyLogon and ProxyShell. The hacker group Wicked Panda was observed leveraging the Exchange vulnerabilities against a European based company. This group also used many 'live off the land' techniques to extract credentials from the affected hosts.
  4. Log4Shell. This vulnerability gained quite the reputation in 2021, with nearly every threat actor attempting to exploit this Apache tool. The OverWatch team observed the adversarial group Prophet Spider leveraging the vulnerability to compromise a VMWare Horizon web component to extract credentials.
  5. The cloud continues to be a prime attack vector with many businesses fully dependent on cloud services. While cloud solutions can result in more agile operations and the transfer of certain risks, the application of security controls must not be overlooked. Vulnerability exploitation, service provider abuse and misconfigured docker containers are just a few of the attack vectors observed in 2021.

Seven Ways to Stay One Step Ahead in 2022

2021 was an eventful year in the information security world and it’s going to undoubtedly ramp up in 2022.

Here are seven steps you can take to begin protecting your organization’s data against the ever-evolving threat landscape.

Move away from legacy antivirus to behavioral based endpoint detection and response (EDR) tools like CrowdStrike’s Falcon Insight. Falcon Insight runs at the process level to identify anomalous activity, unlike traditional antivirus which relies on malicious signatures for detection. This will help identify and block the ‘live off the land’ techniques seen in almost every case study.

Restrict and monitor scheduled tasks. Task scheduler is commonly used by attackers to maintain persistence as seen in the case studies. Restricting the settings for scheduled tasks to run under the context of the authenticated account - instead of as system - will then allow you to monitor new task creations more closely.

Bolster your vulnerability management program. It’s no secret that vulnerabilities are a common method of initial access. Your vulnerability management program should have a clear roadmap for vulnerability identification, triage, and remediation. Tackling exploitable vulnerabilities on external facing assets vastly reduces your attack surface, and time to remediate is increasingly critical.

Improve your visibility and security controls surrounding identity management and the use of credentials. Be alerted of new account creation, and control access surrounding existing accounts, particularly as they pertain to who can access what in an Active Directory environment.

Control and monitor your outbound internet traffic, and restrict and monitor traffic over key protocols. For example, outbound DNS should only be allowed to trusted DNS providers and is often used in data exfiltration.

Don’t forget the cloud and containers. Many of the same security controls you would consider when protecting on-premise systems should also come to mind when considering cloud architectures. Operate with the mindset of securing your workloads wherever they are.

Broker, inspect, and apply conditional access rules to all internet connections. In particular, protect externally facing systems with a cloud security broker (think CASB, SASE). Assume your internet facing assets (both on-premise and in the cloud) to be vulnerable at all times and disallow unverified connections. For example, CASB integration with your Falcon endpoint protection can restrict access to your resources from only trusted company devices, significantly reducing your attack surface.

The Bottom Line

Sun Tzu, the author of The Art of War famously said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” This axiom has never rung more true than in the field of cybersecurity. Understanding the threats and understanding your own organization are crucial to your cyber success.

Because cybersecurity evolves at lightning quick speeds, it can be tough to keep up with all of the latest happenings. Organizations must leverage partner information feeds in smart ways to achieve greater success.

At Echelon, we have found CrowdStrike’s global threat intelligence to be insightful and reaffirming of our beliefs regarding the security of modern infrastructures. Our team regularly uses their threat intelligence - coupled with our own research - to gain crucial insights into the global threat landscape and better protect our clients. In particular, considering frameworks such as those focusing on Zero Trust will help reduce or eliminate exposure to attack vectors highlighted in this report, and help prevent breaches. All organizations should consider controls including: brokering all web bound or web facing connectivity, applying access policies to identity and authentication events, and protecting workloads wherever they are.

We hope that our summary of the latest threat intel will help you evolve your cyber program now, and far into the future.

Click the link below to download the full CrowdStrike 2022 Global Threat Report to learn more. Also, feel free to reach out to our team at any time to hear about the cutting edge work that we are doing to help protect our clients from these advanced threats.

Download the full CrowdStrike report here.

Sign up to get Cyber Intelligence Weekly in your inbox.