Attacker Breakout Time Now Less Than 30 Minutes
The average time it takes threat actors to move from initial access to lateral movement has fallen by 67% over the past year, putting extra pressure on security operations (SecOps) teams, according to CrowdStrike.
The findings come from the security firm’s own investigations with customers across around 248,000 unique global endpoints.
For incidents where this “breakout time” could be derived over the past year, it averaged just 1 hour 32 minutes. However, in over a third (36%) of intrusions, adversaries managed to move laterally to additional hosts in under 30 minutes.
That reportedly makes the job of incident responders more challenging. With lateral movement comes the discovery of data to exfiltrate and new systems to deploy ransomware on.
Threat actors are also becoming more stealthy. In 68% of detections indexed by CrowdStrike, no malware was used at all. This means “living off the land” techniques and legitimate tooling was employed to stay under the radar of traditional security tools.
In total, the vendor detected a 60% increase in attempted intrusions across all verticals and geographic regions between July 2020 and June 2021 versus a year previous.
Not all of this activity is about data collection and ransomware deployment. CrowdStrike recorded a 100% year-on-year increase in crypto-jacking in interactive intrusions.
When it came to targeted intrusions, China-based threat actors were the most prolific by far, accounting for 67% of incidents. Next came unattributed state-backed attackers (20%), then Iran (7%) and North Korean (5%) actors.
“Over the past year, businesses faced an unprecedented onslaught of sophisticated attacks on a daily basis,” noted Param Singh, CrowdStrike’s VP of threat hunting service Falcon OverWatch.
“In order to thwart modern adversaries’ stealthy and unabashed tactics and techniques, it’s imperative that organizations incorporate both expert threat hunting and threat intelligence into their security stacks, layer machine-learning enabled endpoint detection and response (EDR) into their networks, and have comprehensive visibility into endpoints to ultimately stop adversaries in their tracks.”