Alex -

CrowdStrike threat report: Intrusions up, breakout time down

According to a new report by CrowdStrike's threat hunting team, Falcon OverWatch, attempted intrusions against the healthcare sector doubled year over year.

Listen to this article

The CrowdStrike Falcon OverWatch threat hunting team tracked a nearly 50% increase in intrusion activity in the past year, according to a new report published Tuesday.

The report, titled "2022 Falcon OverWatch Threat Hunting Report," is CrowdStrike's annual collection of insights gathered from the vendor's threat engagements from July 1 last year through June 30 this year.

CrowdStrike led the report with cyber intrusions. Falcon OverWatch saw a nearly 50% increase in interactive intrusion campaigns, which the vendor defines as any hands-on threat activity tracked within a victim's environment.

Param Singh, vice president of Falcon OverWatch at CrowdStrike, said multiple factors contributed to the surge in intrusion activity, such as the continued evolution of financial cybercrime.

"The growth of commoditized ransomware offerings [as well as the] advent of access brokers has contributed to lowering the barrier to entry and making it easier than ever for an increasing number of criminally motivated adversaries to pursue their objectives and secure a lucrative payoff," Singh told TechTarget Editorial. "On the targeted intrusion side, state-sponsored adversaries have also continued to accelerate their operations against specific targets of interest, and recent geopolitical and macro events have certainly contributed to this increased activity."

According to the report, 43% of intrusion efforts were attributed to financially motivated cybercrime; 18% were attributed to targeted nation-state activity, up from 14% the previous year; 1% were attributed to hacktivism; and the remaining 38% were unattributed. Asked about the boost in nation-state activity, Singh pointed in part to a correlation between larger real-world events and nation-state activity.

"It's been an eventful year dominated by geopolitical tensions and numerous global macro events. As a result, state-based adversaries have continued and certainly accelerated their targeted operations to further their interests and pursue various objectives, most commonly including espionage, information collection and intellectual property theft," he said. "We can expect to continue to see targeted activity accelerate as we move into 2023."

In addition to seeing increased intrusion campaigns, Falcon OverWatch saw a slightly decreased breakout time -- the amount of time it takes for a threat actor to achieve lateral movement within a target's environment -- from 92 minutes down to 84. The report added that in 30% of cases, lateral movement could be obtained in less than 30 minutes.

Another highlight of the report noted a shift away from malware in cybercrime. Falcon OverWatch said 71% of tracked threat activity involved no malware to speak of, and gave two reasons. One was threat actors' "prolific" reliance on abusing valid credentials to gain access and persistence in victim environments. The second involved the evolving vulnerability landscape.

"Another contributing factor is the rate at which new vulnerabilities are being disclosed and the speed with which adversaries are able to operationalize exploits," the report read. "Many organizations are finding themselves behind the 8-ball, unable to keep up with the pace at which these new threats are emerging."

CrowdStrike said the healthcare sector has been hit particularly hard in the last year, with attempted intrusions against healthcare organizations doubling year over year. The vendor called healthcare a "high-value target" for ransomware affiliates.

"While some RaaS [ransomware as a service] programs have precluded their affiliates from targeting the healthcare sector, there remain several programs that have not," the report read. "The healthcare sector should remain on high alert for ransomware activity and implement proactive security measures to stay ahead of affiliates."

One RaaS group that CrowdStrike highlighted in the report was LockBit. The vendor called the gang "one of the most prolific ransomware families over the last year," which echoed other reports about LockBit's activity. The Falcon OverWatch report noted that LockBit's popularity and reputation allowed the group to build a "vast array of affiliates" capable of a wide range of intrusion types against a number of industries, including healthcare, manufacturing, and transportation and logistics.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing