A new report by cybersecurity firm CrowdStrike finds cyber attackers are staying longer in the systems they infiltrate -- aided in part by “malware-free techniques” -- in a sign that adversaries are advancing their own methods and techniques on pace with improved defenses by government and industry.
“The average adversary dwell time increased from 85 to 95 days in 2019, due in part to advanced adversaries employing stronger countermeasures, allowing them to remain hidden longer, in some cases, for years, prior to discovery,” according to a release, which added, “Adversaries continue to rely on malware-free techniques during intrusions. In 29% of 2019 cases, the adversary used only malware-free techniques. Adversaries that rely solely on malware-free techniques do so to limit their footprint and make it more difficult for organizations to detect and respond.”
The “CrowdStrike Services Cyber Front Lines Report” was released today. CrowdStrike noted that it became a publicly traded company in 2019 and “decided to provide a new perspective in our Services Report.”
This year's version of the annual report, said CrowdStrike's Shawn Henry, focuses “on the trends and themes observed in the global incidents we responded to and remediated throughout 2019, rather than the anonymized case-specific victim examples of years past. I’m confident this approach will provide you with greater insight into the front-line view of the digital battle we’re fighting, as well as offer pragmatic steps to ensure your organization doesn’t become the next statistic in our 2020 report.”
The report found:
Business disruption was the main attack objective. This was true for 36% of the incidents CrowdStrike Services investigated. Most often this was caused by ransomware, destructive malware or denial of service attacks.
The most common MITRE ATT&CKTM techniques focused on account compromise, often via “living off the land” (LOTL). Credential dumping was the second most frequent technique observed with account discovery in third place. PowerShell, scripting and command line interface rounded out the top five.
Continued improvement in attack self-identification. The report shows that 79% of organizations the IR team engaged with were able to detect and respond to a breach without external notification -- up from 75% last year.
Dwell times increased slightly. The average dwell time increased from 85 to 95 days due in part to advanced adversaries employing stronger countermeasures, allowing them to remain hidden longer -- in some cases, for years -- prior to discovery.
Malware and malware-free intrusions were observed in almost equal numbers. In 51% of the intrusions investigated by CrowdStrike Services, malware-free techniques were used while 49% were malware-based. In 22% of the cases investigated, malware-based and malware-free techniques were used in concert.
CrowdStrike noted that “there have been improvements in the ability of organizations to self-detect attacks, however, the protracted time-to-detect is still troubling.”
In response, “CrowdStrike advocates that organizations follow the '1-10-60 rule' as a best practice: one minute to detect an intrusion, 10 minutes to investigate and one hour to remediate. The recently released 2019 CrowdStrike Global Security Attitude Survey found that the vast majority of organizations see adherence to the 1-10-60 rule as a 'game changer' in ensuring protection. Yet, most survey respondents acknowledged they are falling short in achieving this metric.”
Among other findings in the report: “Macs are now clearly in the cross-hairs of the cyber fight”; “Patching remains a problem”; and “How prevention is configured impacts its effectiveness.” -- Charlie Mitchell (email@example.com)