Attackers have managed to reduce the time it takes for them to launch attacks on other devices within a network after gaining initial access, according to recent research. The average intrusion took 79 minutes to transition from the initial compromise to attacking other systems, down from 84 minutes in 2022. These findings were published in CrowdStrike’s 2023 Threat Hunting Report, which also revealed that the fastest attackers were able to launch attacks within just seven minutes of gaining access.
The main objective of attackers is to establish a presence in the network by moving to other systems. This allows them to maintain access even if their initial entry point is isolated and quarantined. They also aim to gain access to other systems through legitimate user credentials. Becoming the domain controller is considered a major achievement for attackers as it grants them access to everything within the network. However, if they are unable to achieve this level of control, they will target individuals with better access privileges and attempt to escalate their own privileges.
The time it takes for attackers to compromise corporate networks is measured by two factors: breakout time and dwell time. Breakout time refers to the duration between initial compromise and the start of an attack, while dwell time is the time it takes to detect the attacker after the initial compromise. Mandiant’s annual M-Trends report revealed that dwell time reached a low of 16 days in 2022, indicating that attackers often have more than two weeks to exploit a compromised network before being discovered.
Interactive intrusions have become the norm for attackers, with a 40% increase in such incidents during the second quarter of 2023 compared to the same period the previous year, as reported by CrowdStrike. These intrusions often involve the abuse of legitimate identities and account information. The collection of identity information has also seen a significant increase, particularly in efforts to obtain secret keys and other credential material. Additionally, the technique known as Kerberoasting, which involves harvesting Kerberos information from Windows systems for later cracking, has seen a nearly 600% growth.
Attackers are constantly finding new ways to exploit vulnerabilities, including scanning repositories where companies accidentally expose identity material. In one instance mentioned in the report, attackers quickly responded to a company’s accidental publication of its root account’s access key credentials on GitHub. This incident highlights the speed at which attackers can initiate abuse and suggests that multiple threat actors are actively monitoring platforms like GitHub for leaked cloud credentials.
To avoid detection, attackers often utilize a technique known as “living off the land.” This involves using a system’s own utilities or downloading legitimate tools to blend in with normal activity and avoid raising suspicion. CrowdStrike has found that adversaries have significantly increased their use of legitimate remote management and monitoring (RMM) tools, such as AnyDesk, ConnectWise, and TeamViewer.
As businesses increasingly rely on cloud infrastructure, attackers have followed suit. Cloud exploitation has nearly doubled, with a 95% increase in attacks targeting cloud environments in 2022, as observed by CrowdStrike. Linux, being the most common workload in the cloud, has become a prime target for attackers. The privilege escalation tool LinPEAS has been used in three times more intrusions than any other abused tool.
Param Singh, the Vice President of CrowdStrike’s OverWatch security service, expects this trend to continue. He stated that threat actors are becoming more knowledgeable about cloud environments and the common misconfigurations found within them. Furthermore, attackers are now utilizing compromised on-premises machines to gain access to cloud environments and inflict significant damage.
In other news, CrowdStrike has announced its plans to merge its threat intelligence and threat hunting teams into a new entity called the Counter Adversary Operations group. This move aims to enhance the company’s capabilities in combating adversaries and strengthening its overall security posture.
As attackers continue to evolve and exploit vulnerabilities, organizations must remain vigilant and proactive in their defense strategies. Detecting and responding to attacks in a timely manner is crucial in minimizing the potential damage caused by intrusions. Additionally, businesses should prioritize the implementation of strong security measures and regularly update their systems to protect against emerging threats.