CrowdStrike observes massive spike in identity-based attacks

LAS VEGAS -- CrowdStrike observed an alarming rise in identity-based intrusions, including a sixfold increase in Kerberoasting attacks, according to the vendor's 2023 Threat Hunting Report published Tuesday.

The threat report, which is in its sixth year, is CrowdStrike's annual look at attack and threat actor trends based on engagements the cybersecurity vendor observed over the previous year. Published at the start of Black Hat USA 2023, the 40-plus page report covers a number of attack styles and adversary tactics seen between July 2022 and June 2023, but the clear theme of this year's report was identity-based threat activity.

For example, 62% of interactive intrusions involved the abuse of active accounts, and the report noted a "160% increase in attempts to gather secret keys and other credential materials via cloud instance metadata APIs." In its 2023 Global Threat Report earlier this year, CrowdStrike noted that 80% of all breaches involved compromised identities.

Adam Meyers, head of Counter Adversary Operations at CrowdStrike, told TechTarget Editorial that the focus on identity from threat actors this year came down in part to improvements in endpoint detection and response capabilities. Defenders have made it more difficult for a threat actor to get into a target environment, and as such, "using identity allows [the threat actor] to look more like a legitimate user, avoid detection and have a better chance at accomplishing their goal," he said.

"When a threat actor's ability to use the tactics they have been using becomes more difficult, rather than work harder for the same outcome, they reassess and find another way to accomplish the same goal," Meyers said. "And in this case, using legitimate user credentials that they can either social engineer or get out of a dark forum type of situation gets them the access that they want, and then they can live off the land."

CrowdStrike also noted a 583% increase in Kerberoasting, an attack technique in which threat actors exploit a flaw in the open source authentication protocol Kerberos in order to crack or "roast" user passwords. Although this is an extension to the aforementioned spike in identity-based attacks, CrowdStrike noted in its report that 27% of intrusions involving Kerberoasting came down to a single threat actor, Vice Spider, a ransomware actor active since at least April 2021.

The 2023 Threat Hunting Report also noted that adversary breakout time reached an all-time low, at 79 minutes. Breakout time is the average amount of time a threat actor needs to move laterally from the initial point of compromise to other systems and hosts within the victim environment. Breakout time in the 2022 Threat Hunting Report was 84 minutes.