Identity hacking saw sharp rise 2023

Threat actors, frequently frustrated by improved enterprise security systems, increased their efforts to compromise credentials in 2023, according to CrowdStrike’s 10th annual global threat report released Wednesday. “Threat actors are running into EDR products out there that are making it difficult for them. It’s difficult for them to bring their tools in and use them the way they used to,” CrowdStrikes Head of Counter Adversary Operations Adam Meyers said at a pre-release press session.

“We’ve seen threat actors focused on identity,” Meyers added. “They’ve been logging in as a legitimate user then laying low, staying under the radar by living off the land, using legitimate tools.” As a result, CrowdStrike saw a 312% increase in the use of remote monitoring and management tools by adversaries in 2023.

“Those are tools that would likely be used by administrators or people within the environment so they’re less likely to catch attention, especially if they were deployed by a ‘legitimate’ user,” he explained. “This is the way these threat actors are trying to camouflage themselves with legitimate behavior, or things that look legitimate, and are harder to peel away.”

The emphasis on identity compromise and stealth appears to have devalued the role of malware in the threat actor’s repertoire. According to the report, malware-free attacks have increased from 40% in 2019 to 75% in 2023.

Threat actors becoming more cloud conscious

Another threat trend identified in the 61-page report is an increase in “cloud consciousness” among adversaries, with a 75% year-over-year increase in cloud intrusions. “This is not surprising,” Meyer noted. “We’ve seen more and more organizations deploying more and more cloud resources without having a cohesive or equivalent security posture for their cloud deployments as they do in their traditional enterprise deployments. Threat actors are taking advantage of that. They’re living in that uncertainty between the enterprise and the cloud, using the cloud to deploy tooling inside the enterprise.”

Financially motivated, or eCrime, adversaries are especially active in targeting cloud environments, the report noted, with 84% of cloud-conscious intrusions likely conducted by eCrime actors, compared to 16% conducted by targeted intrusion actors.

CrowdStrike also reported that “break out” times — the time it takes after gaining access to a system to break out and move laterally from the compromised host to other hosts in an environment — continued to decline, to 62 minutes in 2023 from 84 minutes in 2022. The fastest time discovered by CrowdStrike during the period was two minutes, seven seconds. “Two minutes is not a lot of time to react to anything,” Meyers said.

Data weaponized against the victim

Meyers warned about one Chinese adversarial group’s shift in purpose to prepositioning — the embedding of malware into a network with the intention of carrying out future cyberattacks.  “China typically engages in espionage and intelligence collection for economic, political, diplomatic, and military purposes,” Meyers explained. “This prepositioning by Vanguard Panda is laying the groundwork to maintain access to things that would be useful in time of a kinetic conflict. It’s certainly something that’s alarming.”

The report also noted a spike in the number of names of victims posted on dedicated leak sites, jumping to 4,615 victim posts in 2023, a 76% increase over 2022. “That took off at the back end of the year,” Meyers explained. “It shows data is increasingly being weaponized against the victim.”

How to deal with the 2024 threat landscape

The report made several recommendations for dealing with the threat landscape in 2024:

• Invest in identity protection. “Make sure you have the right tools,” Meyers advised. “A lot of folks understand how enterprise protection works, but they don’t have similar controls and capabilities around identity.”

• Review cloud security. Companies need to focus on getting cross-domain visibility across the enterprise, cloud, IT/OT/ICS environment, and identity, he said.

• Optimize speed of action. “Make sure you’re able to operate at speed,” he noted, “because two minutes isn’t a lot of time.”

• Practice, practice, practice. “You play like you practice, and if you don’t practice, you’re going to fall on your face,” he said. “That’s not a good place to be when you’re dealing with a cyber incident.”