The pace of cyber criminals is accelerating, with recent security research revealing quicker turnaround times for system breaches, heightened attacks in the financial and technology sectors, and an increased focus on targeting the Asia-Pacific region.
A year-over-year analysis indicates a rise in global and domestic cybercrime, both in terms of volume and financial gains for online criminals. The latest research from cybersecurity firm CrowdStrike suggests that attackers are not only more prolific but are also fine-tuning their methods.
Drawing insights from its threat hunting team, the CrowdStrike 2023 Threat Hunting Report reveals that cyber criminals are becoming more adept at breaching victims’ systems, achieving a record-low “breakout time” for attacks during the 2023 financial year.
The average breakout time, which measures the duration it takes for a threat actor to transition from an initial compromise to other hosts within a victim’s environment, decreased from 84 minutes in 2022 to a new record of just 79 minutes in 2023. Remarkably, the swiftest breakout time observed throughout the year was a mere seven minutes, equivalent to the time needed to brew a cup of coffee.
Adam Meyers, the head of Counter Adversary Operations at CrowdStrike, emphasized the urgency for security leaders to assess whether their teams possess the necessary solutions to thwart an adversary’s lateral movement in just seven minutes. He noted, “When we talk about stopping breaches, we cannot ignore the undeniable fact that adversaries are getting faster and they are employing tactics intentionally designed to evade traditional detection methods”.
The report focuses on interactive intrusion activity, a form of cybercrime in which threat actors employ “hands-on-keyboard techniques” to actively interact and execute actions within a victim’s environment.
Navigating freely through a target environment at breakneck speeds is a significant challenge, but CrowdStrike highlighted that many threat actors are exploiting compromised identity data, including credentials, account information, and system permissions. This abuse of identity, particularly when combined with innovative defense evasion strategies, allows adversaries to hide in plain sight.
The report revealed that 80% of breaches involve compromised identities. Notably, only 14% of intrusions that misused valid accounts utilized brute-force methods, and over half of the remaining 86% originated from external systems outside the victim organization. This suggests that compromised accounts were likely obtained through human-centric methods such as phishing, credential harvesting, or password reuse.
The report cited a case in which a victim organization inadvertently published root credentials on the software development platform GitHub. Almost instantaneously, multiple threat actors attempted to exploit these compromised credentials, indicating that high-speed attacks are also facilitated by automated tools monitoring services like GitHub for leaked credentials.
