CrowdStrike: Attackers are moving faster, harder to detect

Attackers are moving through networks quickly in their attacks and using malware tools that are harder to detect, according to CrowdStrike.

The cybersecurity vendor's '2022 Global Threat Report,' published Tuesday, found that hackers can move from their initial access point to lateral machines in under two hours.

The CrowdStrike team said its 2021 records show that, on average, hackers needed roughly 98 minutes to make the breakthrough from their originally compromised machines to other systems on the same network.

While this is up slightly from the average time in 2020, 92 minutes, it remains a small-enough window that hackers can infiltrate a network before being detected by security tools and administrators. The 98 minutes also represents a notable decrease from the average breakout time of four hours and 37 minutes in 2018.

"ECrime adversaries continue to show a high degree of sophistication as evidenced by the speed at which they can move through a victim environment, leaving a very short window for defenders to respond," the CrowdStrike report said.

Making things worse is the increased use of "living off the land" hacking tactics. In such cases, attackers forego the use of locally installed malware payloads on endpoints for a combination of legitimate system management tools.

According to CrowdStrike's researchers, these "malware-free" intrusions were up at a rate of 45% from last year and accounted for the majority of attacks, comprising 62% of the observed cases. As a result, the attackers are able to move through networks and access sensitive data without being detected.

Nation-state attacks were also on the rise in recent months, CrowdStrike said. Iran in particular has stepped up its operations as of late; the Middle Eastern nation has been particularly fond of what researchers term "lock and leak" ransomware attacks.

In these operations, CrowdStrike explained, the threat actors pretend to be operating as normal ransomware crews, but without any intent to give a decryption key.

"Lock-and-leak operations are characterized by criminal or hacktivist fronts using ransomware to encrypt target networks and subsequently leak victim information via actor-controlled personas or entities," CrowdStrike said. "Since they inauthentically operate as a criminal or hacktivist entity, these types of operations conduct activity beneath a veneer of deniability."

Iran is not the only nation stepping up its cyberwarfare activity. CrowdStrike also reported that China's hacking crews are getting better at exploiting vulnerabilities. The state-sponsored hackers are using their increased sophistication to steal intellectual property from companies and agencies outside of China's borders.

"Chinese actors have long developed and deployed exploits to facilitate targeted intrusion operations; however, 2021 highlighted a shift in their preferred exploitation methods," CrowdStrike said. "For years, Chinese actors relied on exploits that required user interaction, whether by opening malicious documents or other files attached to emails or visiting websites hosting malicious code. In contrast, exploits deployed by these actors in 2021 focused heavily on vulnerabilities in internet-facing devices or services."

To counter the threats, CrowdStrike recommended that administrators focus on covering their entire network with security protections and pay attention to the human element of attacks. The security company said defenders should be aware of who is targeting their systems and what tactics they may use.

"User awareness programs should be initiated to combat the continued threat of phishing and related social engineering techniques," the company said. "For security teams, practice makes perfect. Encourage an environment that routinely performs table top exercises and red/blue teaming to identify gaps and eliminate weaknesses in your cybersecurity practices and response."