Crowdstrike addresses the quickening pace and increasing sophistication in adversary tactics, techniques and procedures (TTPs) in Cyber Threat 2019 report
CrowdStrike released its Global Threat Report 2019 today. It offers a comprehensive report on 2019's top cyber threats. It combines analysis from CrowdStrike Intelligence, Falcon OverWatch managed hunting and the CrowdStrike Services incident response teams highlighting the most significant events and trends in the past year. The report combines CrowdStrike’s comprehensive global observations with real-world case studies to deliver deep insights on modern adversaries and their tactics, techniques, and procedures (TTPs).
Global trends and observations are paired with actionable recommendations, ensuring your organization is ready to anticipate and defend against the most dangerous threats of tomorrow.
Cyber Threat 2019 report highlights
- CrowdStrike dives into the data to show attackers most favoured TTPs of 2018 through the lens of MITRE ATT&CK™ framework.
- Updates on global “breakout” time statistics, including observations on which adversaries showed the fastest tradecraft in 2018.
- No respite from nation-state threats: Nation-state adversaries were continuously active throughout 2018 — targeting dissidents, regional adversaries and foreign powers to collect intelligence for decision-makers.
- The continued rise of “Big Game Hunting”, where cybercriminals combine advanced, targeted attack techniques with ransomware to achieve massive financial payoffs.
- The eCrime ecosystem continues to evolve and mature, showing increased collaborations between highly sophisticated criminal actors.
The report also makes clear — in spite of some impressive indictments against several named nation-state actors — their activities show no signs of diminishing.
Throughout 2018, eCrime and nation-state adversaries collectively upped their game. A few examples are given by CrowdStrike:
- In diplomatic channels and the media, several nation-states gave lip service to curbing their clandestine cyber activities, but behind the scenes, they doubled down on their cyber-espionage operations — combining those efforts with further forays into destructive attacks and financially motivated fraud.
- eCrime actors demonstrated new-found flexibility, forming and breaking alliances and quickly changing tactics mid-campaign to achieve their objectives. The shifting currents of the underground economy — including the availability of new TTPs-for-hire and the fluctuating value of Bitcoin — were all contributing factors.
- CrowdStrike also witnessed an increased focus on “Big Game Hunting,” where eCrime actors combine targeted intrusions with ransomware to extract big payoffs from large enterprise organizations
Overview of tactics and techniques observed in 2018
The report also summarizes techniques and tactics used, containing statistics taken from CrowdStrike's Threat Graph. To determine the speed of major adversaries whose intrusions the team attributed in 2018, they decided to dive deeper into breakout time and calculate it for attributed incidents.
The report states: "Speed is essential in cyber security — for both offence and defense. In many ways, it is not the sophistication of the tools — which can be bought or stolen from others — that determines the capability of the adversary, but rather their operational tradecraft and how rapidly they can achieve their objectives in a target network."
The report notes a remarkable finding, that Russia-based threat actors are almost 8 times as fast as their speediest competitor — North Korea-based adversaries, who are almost twice as fast as intrusion groups from China.
Malware versus malware-free attacks
As mentioned in our cybersecurity trends for 2022 article, an increase in malware-based over malware-free attacks was reported. Of all these incidents 39 percent involved malicious software that went undetected by traditional anti-virus software, leaving organisations vulnerable to cyber threats, demonstrating the importance of next-generation endpoint protection.
CrowdStrike defines Malware attacks and Malware-free attacks as:
- Malware attacks: These are simple use cases where a malicious file is written to disk and CrowdStrike Falcon detects the attempt to run that file, then
identifies and/or blocks it.
- Malware-free attacks: CrowdStrike defines malware-free attacks as those in which the initial tactic did not result in a file or file fragment being written to disk. Examples of this include attacks where code executes
- from memory or where stolen credentials are leveraged for remote logins using known tools.
CrowdStrike telemetry shows 40% are Malware-free attacks, versus 60% being Malware-attacks.
Media and Technology industry suffers most from malware-free attacks
Notable shifts in 2018 versus 2017: The media industry jumped to the top of the charts, with approximately 80 percent malware-free attacks, versus approximately 64 percent in 2017. In addition, the technology, academic and energy sectors all saw dramatic increases in malware-free attacks in 2018.
Global trend: Multiple targeted intrusion campaigns focus on the telecom sector
Throughout 2018, CrowdStrike Intelligence identified several targeted intrusion campaigns with a demonstrated focus on the telecommunications (telecom) sector, which have manifested as follows:
- Directly targeting organizations in the telecom sector
- Compromising vulnerable telecom equipment
- Using lures referencing telecom services
CrowdStrike states that this trend 'likely supports state-sponsored espionage actors as they seek to gain access to a broad customer base that relies on telecom services'.