Attacker Breakout Time Drops to Just 84 Minutes

The average time it takes threat actors to move laterally from a compromised host dropped 14% between 2021 and 2022, putting further pressure on incident response teams, according to CrowdStrike.

The threat intelligence firm compiled its 2023 Global Threat Report from trillions of daily events generated by its endpoint protection platform and insights from its threat hunting team.

It warned that incident responders had even less time last year to contain breaches after an initial compromise.

“By responding within the breakout time window, defenders can minimize the costs and other damages caused by attackers,” the report explained. “Security teams are encouraged to meet the 1-10-60 rule: detecting threats within the first minute, understanding the threats within 10 minutes and responding within 60 minutes.”

The challenge of detecting suspicious activity has also been made more acute because attackers continue to eschew malware in favor of abuse of valid credentials for access and persistence.

Malware-free activity accounted for 71% of all detections in 2022, up from 62% in 2012, while “interactive intrusions” – i.e., manual, non-automated attacks – surged by 50% over the period.

These “hands on keyboard” techniques make it harder for traditional anti-malware tools to detect malign activity, CrowdStrike claimed.

Separately, the report noted an increase in social engineering tactics such as direct vishing of victims to download malware, and SIM swapping and “MFA fatigue” to circumvent multi-factor authentication (MFA).

Cloud systems emerged as a key target in 2022: exploitation of cloud workloads grew by 95% and cases involving “cloud-conscious actors” tripled from 2021. Malicious actors are increasingly looking to public-facing applications for initial access, and rely on compromising privileged accounts, the report claimed.

CrowdStrike also observed a concerning emerging trend for “account access removal, data destruction, resource deletion and service stoppage.”

The cybercrime supply chain appeared to strengthen in 2022, with CrowdStrike recording a 112% year-on-year increase in initial access broker adverts on the dark web.

CrowdStrike head of intelligence, Adam Meyers, argued that 2022 saw a unique combination of cyber-threats emerge.

“Splintered eCrime groups re-emerged with greater sophistication, relentless threat actors sidestepped patched or mitigated vulnerabilities, and the feared threats of the Russia-Ukraine conflict masked more sinister and successful traction by a growing number of China-nexus adversaries,” he added.

“Today’s threat actors are smarter, more sophisticated and more well-resourced than they have ever been. Only by understanding their rapidly evolving tradecraft, techniques and objectives – and by embracing technology fuelled by the latest threat intelligence – can companies remain one step ahead of today’s increasingly relentless adversaries.”