CrowdStrike report reveals identity under siege, cloud data theft

Cyberattacks that exploit gaps in cloud infrastructure to steal credentials, identities, and data have skyrocketed in 2022, growing by 95%. That’s according to CrowdStrike’s 2023 Global Threat Report.

The report finds that bad actors are moving away from disabling antivirus and firewall technologies and log tampering efforts, instead seeking to “modify authentication processes and attack identities,” it concludes.

Today, identity is under enormous threat. Why are identity and privileged access credentials the primary targets? This is because attackers want to become access brokers and sell stolen information in large quantities on the dark web at high prices.

CrowdStrike’s report provides a sobering look at how quickly attackers are reinventing themselves as access brokers and how their ranks are growing. The report showed a 20% increase in the number of adversaries conducting cloud data theft and extortion campaigns, and the largest increase in the number of adversaries, with 33 new ones in just one year. Prolific Scattered Spider and Slippery Spider attackers are behind recent high-profile attacks on telecom, BPO and technology companies.

Attacks set new speed records

Attackers are digitally transforming themselves faster than businesses can keep up, rapidly weaponizing and re-exploiting vulnerabilities. CrowdStrike found threat actors bypassing patches and bypassing mitigations throughout the year.

The report states, “The CrowdStrikeFalcon OverWatch team measures the penetration time, the time it takes for an adversary to move laterally from the initially compromised host to another host in the victim’s environment. The average breakout time for cybercrime interactive intrusion activity decreased from 98 minutes in 2021 to 84 minutes in 2022.

CISOs and their teams must react more quickly as the breach window shrinks to minimize the cost and collateral damage caused by attackers. CrowdStrikes advises security teams to follow the 1-10-60 rule: detect threats within the first minute, understand threats within 10 minutes and respond within 60 minutes.

Adversaries increase speed and complexity
The evidence shows a startling advance in the rate of attacks. Attackers have reduced their interactive eCrime activity by an average of 15 minutes per year, while launching more attacks that are malware-free and therefore harder to detect. Source: CrowdStrike 2023 Global Threat Report

Access brokers make stolen identities top sellers

Access brokers create a thriving business on the dark web, where they sell large quantities of stolen credentials and identities to ransomware attackers. CrowdStrike’s highly regarded intelligence team found that government, financial services, and industrial and engineering organizations have the highest average asking price for entry. Academic sector income had an average of $3,827, while government had an average of $6,151.

Because they offer bulk transactions for hundreds to thousands of stolen identities and privileged access credentials, access brokers use a “one-access-one-auction” technique, according to CrowdStrike’s Intelligence Team. The team writes: “The entry methods used by brokers have remained relatively consistent since 2021. Common tactics include the misuse of compromised credentials obtained through information thieves or purchased from criminal underground log shops.”

Access brokers and the brokers they create are thriving illegal businesses. The report found more than 2,500 ads for access brokers offering stolen credentials and identities for sale. That is a 112% increase compared to 2021.

CrowdStrike’s Intelligence Team authored the report based on analysis of trillions of daily events collected from the CrowdStrike Falcon platform and insights from CrowdStrike Falcon OverWatch.

The findings reinforce previous findings from CrowdStrike’s Falcon OverWatch Threat Hunt Report, which found that attackers, cybercriminal groups and advanced persistent threats (APTs) are switching to malware-free intrusion activity, which accounts for up to 71% of all CrowdStrike threat indexed detections. the .

Access broker statistics (CrowdStrike)
Attackers are looking to create an access brokerage business. If they can achieve scale, it becomes a profitable stealth enterprise, with wholesale identity sales averaging $6,151 per public sector. Source: CrowdStrike 2023 Global Threat Report

Cloud infrastructure attacks starting at the endpoint

Evidence continues to show that cloud computing is growing as a playground for bad actors. Cloud exploitation increased by 95%, and the number of incidents involving “cloud-aware” threat actors nearly tripled year-over-year, according to CrowdStrike.

“There is mounting evidence that adversaries are becoming more confident using traditional endpoints to pivot to cloud infrastructure,” the CrowdStrike Intelligence Team wrote, signaling a shift in attack strategies from the past. The report continues, “the reverse is also true: cloud infrastructure is being used as a gateway to traditional endpoints.”

When an endpoint is compromised, attackers often go to the heart of the cybersecurity technology stack, starting with identities and privileged access credentials and removing account access. They often then proceed to destroy data, delete resources, and disrupt or destroy service.

Attackers are rearming and exploiting vulnerabilities starting with CVE-2022-29464, which enable remote code execution and unlimited file uploads. On the same day that the vulnerability affecting multiple WSO2 products was discovered, the exploit code was made publicly available. Opponents were quick to seize the opportunity.

Falcon OverWatch’s threat hunters began to uncover numerous exploitation incidents in which adversaries employ infrastructure-based tactics, techniques, and procedures (TTPs) consistent with China-nexus activity. The Falcon OverWatch team discovered that attackers are attempting to use successful cloud breaches to identify and compromise traditional IT assets.

The intrusion of interaction revolves between the cloud and traditional IT assets
CrowdStrike’s Falcon Overwatch team sees attackers moving toward more interactive intrusions that span cloud and traditional IT assets, capitalizing on vulnerable endpoints. Source: CrowdStrike 2023 Global Threat Report

CrowdStrike is doubling down on CNAPP

Competitive parity with attackers is elusive and short-lived in cloud security. All the leading cybersecurity vendors are well aware of how quickly attackers can innovate, from Palo Alto Networks touting how valuable attack data is to innovation to the founder and CEO of Mandiant warning that attackers will innovate safe business after months of researching it.

No sales call or executive presentation to a CISO is complete without a call for better cloud security posture management and a more hands-on approach to identity and access management (IAM), improved cloud infrastructure rights management (CIEM), and the ability to consolidate technology stacks. improving visibility and reducing costs.

Those factors and more led CrowdStrike to fast-track the expansion of its Cloud Application Protection Platform (CNAPP) in time for its Fal.Con customer event in 2022.. The company is not alone here. Several leading cybersecurity vendors have taken on the ambitious goal of improving their CNAPP capabilities to keep pace with the new complexity of enterprises: multi-cloud configurations. Vendors with CNAPP on their roadmaps include Aqua Security, CrowdStrike, Lacework, Orca Security, Palo Alto Networks, Rapid7 and Trend Micro.

The way forward for CrowdStrike is based on a range of innovative tools.

“One of the areas we’ve developed is that we can accept weak signals from different endpoints. And we can connect them together to find new discoveries,” CrowdStrike co-founder and CEO George Kurtz told a keynote audience at the company’s annual Fal.Con event last year.

“We’re now extending this to our third-party partners so we can look at other weak signals not only at endpoints but also at domains and come up with a new detection,” he said.

Of note in the development is how the CrowdStrike DevOps and engineering teams added new CNAPP capabilities to CrowdStrike Cloud Security while also incorporating new CIEM features and CrowdStrike Asset Graph integration. Chief Product and Engineering Officer Amol Kulkarni told VentureBeat that the CrowdStrike Asset Graph provides visualization of cloud assets and explained how CIEM and CNAPP can help cybersecurity teams see and secure cloud identities and rights.

Kulkarni aimed to optimize cloud implementation and perform real-time queries for fast response. That means integrating Asset Graph with CIEM to enable broader analytic queries for asset management and security posture optimization. At a conference last year, he demonstrated how such instrumentation can provide complete visibility into attacks and automatically prevent threats in real time.

CrowdStrike’s primary design goals included providing least privileged access to clouds and continuous detection and remediation of identity threats. Scott Fanning, senior director of product management, cloud security at CrowdStrike, told VentureBeat that the goal is to prevent identity-based threats stemming from improperly configured cloud rights at several public cloud service providers.

CrowdStrike asset graph
CrowdStrike Asset Graph helps provide 360-degree visibility into enterprise assets and their interdependencies across hosts, configurations, identities and applications. Source: CrowdStrike

VentureBeat’s mission should be a digital town square for technical decision makers to gain knowledge for transforming enterprise technologies and transaction execution. Discover our briefings.

Source link