You can’t attend Transform 2022? View all summit sessions in our on-demand library now! See here.
Organizations are falling behind the increasingly fast pace of cyber attackers giving up malware for stolen privileged logins and ‘live off land‘intrusion technique. Hunt down the latest CrowdStrikes Falcon OverWatch threat report found a solid shift in attack strategy to malware-free penetration, accounting for 71% of all findings indexed by CrowdStrike . Threat Graph.
The report provides a glimpse into how the adversary’s complex and rapid attack strategies adapt to avoid detection.
“A key finding from the report is that up to 60% of the interaction intrusions observed by OverWatch involved the use of valid credentials, which continue to be abused by adversaries. to facilitate initial access and lateral movement,” said Param Singh, Falcon vice president, See Over at CrowdStrike.
It is becoming common for cyber attackers to abuse privileged access credentials and their associated identities that move across networks. Cybercriminals account for 43 percent of interactive intrusions, while relationship-state actors account for 18 percent of the activity. Heavy cybercriminal activity reveals the financial motive that governs penetration efforts.
Cyberattacks continue to de-automate businesses
CrowdStrike finds that cyber attackers are focusing on techniques to avoid detection and scale fast. Cyber attackers are non-automated businesses with undetectable intrusion techniques. CrowdStrike research shows a record 50% year-over-year increase in practice penetration attempts and over 77,000 potential hacks. Human threat hunters have discovered adversaries actively implementing malicious techniques across the entire attack chain, despite cyber attackers’ best efforts to evade threats. automatic detection method.
It only took one hour and 24 minutes to move from the original compromise point to other systems. That’s down from the one hour and 38 minutes originally reported by Falcon Watch in CrowdStrike Global Threat Report 2022. One out of every three intrusion attacks results in an attacker moving horizontally in less than 30 minutes. The CrowdStrikes report shows how the future of cyberattacks will be determined by increasingly advanced tactics, techniques, and processes (TTPs) to bypass technology-based defenses to successfully achieve goals.
Abuse of privileged credentials, exploitation of public infrastructure, abuse of remote services (especially RDP) and devaluing the operating system proxy that dominates the MITER heatmap that tracks intrusion activity. The MITER analysis in the report is remarkable for its depth of analysis. Also notable, it succinctly captures how pervasive the threat of privileged credential abuse and identity theft is in today’s businesses. Eight of the 12 MITER ATT & CK categories are led by different credential, RDP, and OS abuses.
“Track and categorize observed competitor TTPs based on the MITER ATT & CK Enterprise matrix. In terms of the relative popularity and frequency of specific MITER ATT & CK techniques used by competitors, what stands out is that the adversary is really looking to get in and stay,” Singh told VentureBeat. “That means establishing and maintaining multiple access paths continuously and finding more credentials to strengthen their foothold and often high levels of traffic on a competitor’s target list.”
Resist identity siege without trust
Target of cyber attacker Identity access management (IAM) to filter out as many identities as possible, and the CrowdStrike report explains why. Privileged access credential abuse is a proven intrusion technique to avoid detection.
“One of the most disturbing observations from the report is that identities remain under siege. While organizations around the globe are looking to evaluate or promote their trustless initiatives, there is certainly still a lot of work to be done,” Singh said.
Businesses need fast tracking evaluate frameworks not to be trusted and identify a tool that best supports their business goals today and plans for the future. Enterprises need to start a zero-trust assessment, creating a roadmap and implementation plan to prevent credential abuse, RDP, and OS login-based intrusions. Steps organizations can take today need to strengthen cybersecurity while strengthening IAM and privileged access management (PAM) systems.
Grasp the basics of security the first time
No-trust initiatives must start with projects that deliver measurable value first. Multi-factor authentication (MFA), automating patch management, and ongoing training on how to prevent phishing or social engineering breaches are key.
Singh and his team also recommend that “implement a robust patch management program and ensure robust user account control and privileged access management to help mitigate the potential impact of information compromised login” is essential.
Remove inactive accounts in IAM and PAM . systems
Every business has created inactive accounts for contractors, sales, service, and support partners. Deleting all inactive IAM and PAM accounts can help prevent intrusion attempts.
Review how to create a new account and check that the account has administrative privileges
Cyber attackers who make intrusion attempts also want to hijack the process of creating new accounts to use. Trying to create a more permanent presence that they can move side to side is the goal. Checking accounts with administrative privileges will also help determine if privileged access credentials have been stolen or used to carry out intrusions.
“Competitors will leverage local accounts and create new domain accounts as a means of achieving persistence. By providing new accounts with enhanced privileges, adversaries gain additional capabilities and another method of covert operations,” Singh said. “Service account activity must be checked. , restricting access to only necessary resources and requiring frequent password resets to limit the attack surface for adversaries seeking to operate underneath,” he said.
Change default security settings on cloud instances
Unfortunately, each cloud provider’s interpretation of Common Responsibility Model different, this creates vulnerabilities that cyberattacks can quickly take advantage of. That’s one of the many reasons Gartner predicts that at least 99% cloud security bugs until 2023 will start with user error. Param warns that organizations must understand the security controls available and not assume that service providers have applied default settings that are appropriate for them.”
The arms race to identify intrusions
With each new set of tactics, techniques, and processes (TTPs) that cyber attackers create, businesses discover that they are in an arms race that begins months before or after. Increasingly changing technology stacks to replace unreliable perimeter-based systems needs to happen. No two organizations will share the exact endpoint roadmap, framework, or strategy as each must incorporate it into its core business.
Despite all their differences, one factor they all share is the constant distrust that underpins IAM, PAM, and identity management throughout the company to prevent intrusive attacks without they cannot see until it is too late. Businesses are in an arms race with identity-related cyberattacks that they may not have fully seen yet, but it’s there and growing.
VentureBeat’s mission is a digital city square for technical decision-makers to gain knowledge of transformative enterprise technology and transactions. Explore our summary report.