Intelligence in Offensive Security: How to Level Up + Hacker's Perspective: Tips for Defenders + Tech Dives + Improving Cyber Hygiene

Adaptability and Perseverance – Breaking Down the 2023 CrowdStrike Global Threat Report

From cyberwarfare conducted during the Russia/Ukraine conflict to the growth in eCrime, the scope and depth of cyber attacks has only increased. Identifying these trends helps inform organizations about the best defensive measures to pursue in order to level up their cybersecurity.

About the 2023 CrowdStrike Global Threat Report

CrowdStrike’s annual Global Threat Report is insightful research report that our team follows for awareness of the global perspectives regarding Cybersecurity trends. Based on the firsthand observations of the CrowdStrike Intelligence team and Falcon OverWatch threat hunting teams, it outlines the biggest threats organizations have faced in the previous year, and how the threat landscape will develop into the new year.

As we move through 2023, we need these macro perspectives to help us guide a smart cybersecurity program attuned to real risks. This year’s report provides crucial insights into what security teams need to know and do in an increasingly ominous threat landscape.

This article summarizes key takeaways from the report, provides a breakdown of the five 2022 themes, and gives our take on three recommendations for staying ahead in 2023 and beyond.

Threat Landscape Overview – Key Takeaways

Understanding the current cybersecurity landscape and the evolving adversary threats is critical to preventing breaches and keeping ahead of the adversaries. The report showed how threat activity is increasing and identified which threat vectors are being leveraged.

The threat landscape shows significant increase in access broker advertisements. According to CrowdStrike Intelligence, there was a 112% increase in access broker advertisements for access. They identified over 2,500 of these advertisements. The main sectors targeted by this were Academic, Technology, and Industrial sectors.

Adversaries have continued to move away from malware-based attacks. According to the report, CrowdStrike Intelligence observed a continued shift from malware to living off the land malware-free attacks. Out of all detections indexed 71% of all detections in 2022 were malware-free attacks, compared to 62% last year.

Compared to 2021 there was an increase in interactive intrusion campaigns, where threat actors used hands on keyboard actions as opposed to more automated tools. According to the CrowdStrike Threat Report, there was a 50% increase in interactive intrusion campaigns, with the frequency accelerating into quarter four.

5 Themes of Advanced Persistent Threats

Threat actors are innovating and focusing on more malware-free attacks, opting to use legitimate applications and credentials for initial access and persistence. The report highlights the trends of the actions taken by adversaries, and what their primary targets were.

Slippy Spider and Scattered Spider gained notoriety by targeting high-profile companies. Slippy Spider targeted tech companies with attacks resulting in data theft and extortion. Instead of launching traditional ransomware attacks, these threat actors threatened to leak the data if the company did not pay their ransom. Scattered Spider used targeted social engineering to bypass MFA. According to CrowdStrike Intelligence, after gaining initial access they deployed a wide variety of legitimate remote monitoring and management tools/utilities to maintain persistent access and avoid detection.

With more organizations making the move to cloud service, adversaries continue to ramp up attacks on the cloud. CrowdStrike Intelligence observed a 95% increase in cloud exploitation compared to 2021. Threat actors primarily gained initial access to cloud environments by abusing existing accounts and credentials. CrowdStrike noted that threat actors are moving away from exploiting traditional antivirus and firewalls, opting to instead attack the authentication processes and identities.

Adversaries consistently focused on using previously known attack vectors and CVEs. According to CrowdStrike Intelligence, there are two ways adversaries pursued these vectors. Adversaries were observed modifying and/or reusing an existing exploit to target other solutions that use them. The other method was to circumvent patching by identifying potentially vulnerable systems and exploiting them through other vectors. According to CrowdStrike, Log4Shell is one of the more prominent examples of this. Vulnerable libraries were identified in other vendor products like VMWare, Cisco, and Ubiquiti. Threat actors circumvented patches for ProxyNotShell by finding alternative exploitation vectors, bypassing the patches.

Russian cyber operations and activity have been supporting their war against Ukraine. According to CrowdStrike Intelligence, many Russian-originated, aligned, and state sponsored adversaries were identified targeting Ukrainian entities. They leveraged a wide variety of tools and methods. However, a large focus was placed on Distributed Denial of Service (DDoS) attacks as well as wiper malware deployments. Additionally, there were extensive efforts by adversaries to conduct spear-phishing and credential-phishing campaigns against Ukrainian targets.

CrowdStrike observed China-nexus adversaries targeting almost all 39 global industry sectors and 20 geographic regions that they track. However, according to CrowdStrike Intelligence, China-nexus adversaries primarily target government, technology, and telecommunication sectors across Asia. China-nexus adversaries were observed exploiting zero-days in Citrix ADC and Citrix Gateway (CVE-2022-27518), and Microsoft Exchange Server (CVE-2022-41040) in particular. Zero-day exploits were used while targeting North American organizations in the aerospace, legal and academic sectors as well.

Ways to Stay Ahead in 2023

In 2022 the threat landscape changed quite a bit and will certainly continue to change as we move through 2023. Here are three steps you can take to protect your organization’s data against threats and adversary actions.

#1

Increase focus on identity protection. With the increase in malware-free attacks such as social engineering and similar methods of gaining access through legitimate credentials, it is critical to enforce secure MFA methods like one-time-pin and physical security keys. Insecure methods of MFA such as SMS, which can be hijacked using sim-swapping attacks, should be avoided. Extending MFA to support legacy systems should be considered. Additionally, it is crucial to have monitoring that can quickly identify unexpected or unusual access patterns, and other forms of unauthorized access. Further, organizations should focus on access methods that implement concepts of Zero-Trust, to avoid any single method of access and authentication failing. An example of this would be enforcing device trust, such as considering the health of a device based on the CrowdStrike ZTNA score.

#2

As adversaries continue to increase their focus on cloud exploitation, it is more important than ever to prioritize cloud security. One of the most common TTPs used by adversaries is misconfigurations of the cloud environment. Organizations should consider tools and processes that can assess the security posture and configuration best practices unique to their cloud technologies. With the shift towards relying on third parties to host critical services, due diligence calls for proper assessment of these providers when considering cloud vendors.

#3

With the evolving threat landscape, it is imperative to have visibility into your attack surface, including what vulnerabilities real adversaries would exploit. Engaging in adversary emulation can provide a more realistic representation of the types of attacks your organization is likely to face, and should be considered versus more general penetration testing exercises.

#4

Adversaries continue to exploit known vulnerabilities, including in circumstances where vulnerable software is a part of or packaged within enterprise software. To circumvent detection, common software packages are also being used for command and control as well as exfiltration operations.

There are a few tactics organizations can consider to disrupt various attack paths:

  • Limit your attack surface to prevent initial reconnaissance activities. Technologies that restrict access (ex. WAFs, Honeypots, NGFW) should always be considered for web facing assets.
  • Have an appreciation for vendor reputation, third party risk management, and the software supply chain when making decisions regarding software selection and defensive controls.
  • In particular, for organizations running Microsoft Exchange on-premise, consider moving to host Exchange, or be ready to implement extensive compensating controls in order to prevent the continued exploitation of this software (including a steady stream of zero-day exploits)
  • Understand and control the use of applications within your environment, particularly the use of remote support software that could be used for Command & Control (C&C) and exfiltration operations. This can be done with layer 7 firewalls, DNS, endpoint, and other solutions. Monitoring use of command line and scripting usage in your environments (ex. PowerShell).
  • Understand and monitor your outbound traffic patterns in order to identify and disrupt C&C activity.

The Bottom Line

The cybersecurity threat landscape is constantly evolving. The themes outlined here represent the most common and public adversary activity of 2022, but attack paths continue to be highly diverse.

Organizations should consider how they prioritize identity protection, securing cloud assets, and the use of adversary emulation to conduct risk assessments designed to keep up with the constant change.

At Echelon, we are fortunate to partner with CrowdStrike as we leverage their tools and threat intelligence to prevent breaches. Our team regularly uses their threat intelligence along with our own research and testing to gain crucial insights into the global threat landscape in order to better protect our clients.

We hope that our summary and take on the latest threat intelligence will help you evolve your cyber program to keep up with the ever-changing threats.

If you want to know more, please use the link below to view and download the full CrowdStrike 2023 Global Threat report.
Read and download the full CrowdStrike report here (clicking opens a PDF).

Sign up to get Cyber Intelligence Weekly in your inbox.