adimas - Fotolia
CrowdStrike: Intrusion self-detection, dwell time both increasing
The 2019 CrowdStrike Services Cyber Front Lines Report found that while the percentage of organizations that self-detected an intrusion is up, dwell time has gone up as well.
Enterprises are getting better at detecting threats, according to CrowdStrike, but threat actors are also improving their stealth capabilities.
The 2019 CrowdStrike Services Cyber Front Lines Report, published Tuesday, found that while the percentage of organizations that self-detected an intrusion is up, the average dwell time of an intruder has gone up as well. According to the report, the percentage of organizations that self-detected an intrusion was 68% in 2017, 75% in 2018 and 79% in 2019. While this number is going up, it's notable that dwell time, which includes the time between when a compromise first occurs to when it's detected, increased an average of 10 days, from 85 days in 2018 to 95 days in 2019.
The report is the result of information gathered by CrowdStrike Services in its incident response and other services work over the course of 2019. "This may include data and insights derived from numerous sources, including the more than 2.5 trillion security events the CrowdStrike Falcon platform collects each week," the report said.
CrowdStrike vice president of services Thomas Etheridge explained that self-detection has gone up because, among other reasons, companies are becoming more aware of cybersecurity and risk and are investing in newer technologies, personnel and internal processes to get better at earlier detection. As for dwell time, he said that "attackers are able to use stealthier techniques and tactics to mask or hide within an organization for periods of time without being detected."
The report also noted that CrowdStrike's services team observed "a significant number" of breaches where adversaries had gained access to an organization's environment more than a year before the intrusion was detected, and in some cases the dwell time was as long as three years. "It also reveals that state-sponsored threat actors are applying countermeasures that allow them to remain undetected for a protracted length of time -- particularly in environments protected by legacy security technologies," the report said.
Malware-free attacks and business disruption
Of the intrusions observed by the endpoint security company in 2019, malware-free techniques were used in 51% of the intrusions investigated, while malware-based techniques were used in 49%. Malware and malware-free techniques were used together in 22% of cases investigated.
Another core finding observed in the report comes in the fact that 36% of the incidents investigated in 2019 revealed that incidents were most often caused by ransomware, destructive malware or denial of service attacks. This reveals that business disruption was the main attack objective of cybercriminals last year, while data theft and monetary loss represented just 25% and 10% of attacks, respectively.
Lastly, Etheridge noted a trend that he described as "quite scary." CrowdStrike's service team noticed an increase in threat actors using common remote access software platforms, such as those used by third-party managed services or IT support firms, as an initial entry point into organizations. The team also saw a rise in attacks against third-party providers that support specific vertical industries.
"Some of these threat actors recognize that they can impact a lot more customers by targeting the service providers that support those customers, ," he said. "Manufacturing is a great example; an attacker, instead of targeting individual company by individual company, can target the third-party service providers that support those companies and compromise those organizations. Then by the relationship and connectivity, they end up getting access to a plethora of customers that they can go deploy their tactics and techniques to try to monetize their operation."
CrowdStrike threat report: Breakout time decreased 67% in 2021