Adversary Breakout Time Hits All-Time Low at 79 Minutes: Implications for Cyber Defense
The time it takes for threat actors to infiltrate a network has reached a new low, averaging at just 79 minutes. This is a decrease from last year’s average of 84 minutes, with the quickest breakout recorded at a staggering seven minutes. These findings have significant implications for cyber defense strategies, as they emphasize the need for quick and automated response measures.
Param Singh, the vice president of CrowdStrike’s threat monitoring unit Falcon OverWatch, noted the importance of aligning defense playbooks with the speed of threat actors. Singh stated, All blue teamers, including us, need to do things like think about automation and figure out how to stop the fastest threat actor, one moving laterally within seven minutes. The speed at which threat actors operate directly influences the defensive strategies employed by organizations.
CrowdStrike’s report, revealed at the annual Black Hat convention in Las Vegas, highlighted a 40% increase in interactive intrusions compared to the previous year. Interactive intrusions involve adversaries interacting with and executing actions against their targets. The report also identified the technology sector as the most frequently targeted vertical for the sixth consecutive year. Following technology, the financial, retail, healthcare, and telecommunications sectors were also heavily targeted.
Moreover, the report shed light on the increasing prevalence of nation-state attacks, with North Korea leading the pack as the most aggressive state-sponsored adversary. Access brokers, who facilitate unauthorized access to networks, also saw a significant increase in their presence on the dark web, with a rise of 147% in advertisements. These trends emphasize the evolving landscape of cyber threats and the need for proactive defense measures.
Additionally, the report highlighted two specific types of attackers: the Iranian Kitten and the Chinese Panda. The Kitten group focuses on exploiting a specific type of asset, while the Panda adversaries aim to carry out a wide range of attacks against multiple targets. These threat actors demonstrate distinct practices and motivations that necessitate tailored defensive approaches.
Cybercriminals predominantly continue to target the technology sector due to its reliance on sensitive data, making it an attractive target for ransomware attacks and data theft. Enabling services, access brokers, and information theft campaigns were identified as prominent eCrime threats to the technology sector.
CrowdStrike’s report further disclosed a significant surge in the use of a tactic called Kerberoasting, observed by Falcon OverWatch. Kerberoasting provides attackers with higher privileges, enabling lateral movement within a victim’s environment. This tactic involves the theft of encrypted credentials associated with Active Directory accounts, which can be cracked offline. Singh noted the sharp increase in the adoption of this technique, stating, Once you attack an initial victim, the stolen credentials you used to get onto that machine may not be enough to move laterally and work on your mission. Kerberoasting allows privilege escalation; because it’s an effective way to move laterally, we are seeing this huge spike.
To effectively defend against these evolving threats, organizations must prioritize automation and quick response measures. Additionally, vulnerability management, user training, and incident response planning are crucial components of an effective cyber defense strategy.
As cybercriminals continue to advance their tactics and speed of infiltration, the cybersecurity industry must stay one step ahead. Timely detection, automated response, and collaboration between cybersecurity professionals and organizations are vital to safeguarding networks and sensitive data from the increasingly aggressive and sophisticated threat landscape.