The threat landscape has shifted, says cybersecurity firm CrowdStrike, and it’s brought a new swarm of adversaries and attack strategies with it. A recently released report by the IT provider discussed the trends in the threats their team encountered in 2019 – and things are only going to become more challenging.
According to the cybersecurity company, some organizations are still trailing behind with the technology needed for protection against breaches. Outdated tech had led to an increase in dwell time – a metric used to determine how long it takes for a business to identify a threat. In this case, dwell times surged up from 85 days in 2018 to 95 days in 2019, and some of this can be attributed to a company's inadequate defenses.
There were outliers, however. Some companies reporting significant incursions into their systems that operated for more than a year – and sometimes up to three years – before being detected. “With new attack vectors on the rise, we must remain agile, proactive, and committed to defeating them. They still seek the path of least resistance – as we harden one area, they focus on accessing and exploiting another," said CrowdStrike Services chief security officer and president, Shawn Henry.
Business disruption was the primary reason for the attack, CyberStrike says, with 36 percent of incidents investigated by the team. In most cases, this was caused by ransomware, destructive malware, or denial of service attacks. "Strong cybersecurity posture ultimately lies within technology that ensures early detection, swift response, and fast mitigation to keep adversaries off networks for good,” Henry added.
The most common MITRE ATT&K techniques in 2019 focused on account compromise, usually by way of “living off the land” methods (LotL). More specifically, credential-dumping, account discovery, PowerShell, scripting, and command-line interface were the top five techniques used.
For the uninitiated, these ATT&K techniques refer to an international knowledge base of adversary tactics and techniques based on real-world observations for the cybersecurity community. LotL tactics used by bad actors usually involve the use of trusted products sold off-the-shelf, or that come pre-installed on a system to do the malicious work for them.
On another front, Macs were targeted more than ever in 2019. Bad actors used LotL attacks on macOS native applications to gain access to systems. The combination of Mac’s increasing popularity within organizations and inadequate endpoint protection makes Apple machines an attractive target for cybercriminals. Once breaching a system, CrowdStrike’s services team observed these actors using authentic user credentials to access other parts of an organization’s system while evading detection.
CrowdStrike also highlights the importance of consistent patch management protocols as a way to deal with security weaknesses. Even though patching is an old problem, issues like conflicting departmental policies and limited accountability contribute to these vulnerabilities being exploited in 2020. Companies have gotten better at developing more transparent risk-based solutions to these issues.
In terms of what can be done, founder George Kurtz said it best: forewarned is forearmed. They operate with the philosophy that's become the company's mission and calling card: "You don't have a malware problem; you have an adversary problem."