new for crowd hit that, simultaneously with the publication of his Threat Hunting Report 2023makes available Operations against CrowdStrike adversaries. This is a new security offering that combines intelligence from CrowdStrike Falcon, CrowdStrike Falcon OverWatch threat hunting equipment, and telemetry data captured by the AI-powered CrowdStrike Falcon security platform.
The scenario: the state of cybersecurity according to the Crodwstrike Threat Hunting Report 2023
The Threat Hunting Report 2023 is the first Crowdstrike report produced by the team’s experts CrowdStrike Counter Ops. The data refers to cyber incidents detected between July 2022 and June 2023 worldwide and shows a significant increase in identity attacks. In particular, Kerberoasting attacks grew 583%.
These are attacks that occur after an attacker has managed to overcome the victim’s defenses, with the aim of obtaining the password, in the form of a hash (and therefore encrypted) of an Active Directory account. Once you have this information, the attacker then attempts to obtain the clear text password using brute force techniques, performed offline. From here it is relatively easy for an attacker to make lateral movements to increase his privileges within the victim’s systems.
There are two reasons why Kerberoasting attacks are successful. First, in many cases there are no forms of multi-factor authentication, which would significantly increase security. But that is not the only factor. As it explains Fabio FratucelloField CTO, CrowdStrike International,”you need to carefully examine the access logs“, to check for anomalous activity, but it’s also very important to pay attention to encryption algorithms.”Kerberos uses many encryption algorithms, including RC4 (used in the WEP and SSL protocols., Ed.) is the most attached. We should consider disabling the weaker ones.“.
Intrusions leveraging RMM tools also increased dramatically (+312%).remote monitoring and management, hence the perfectly legitimate tools used by IT teams to keep worker computers under control.
Still on the subject of identity, Crowdstrike experts have detected a significant increase (+147%) in access broker ads. In practice, credentials are stolen and then resold on the black market: using them, cybercriminals can “skip” the first phase of the attack, i.e. gaining initial access to systems, to focus on other activities, such as installing ransomware or theft of confidential information.
In short, for companies it is essential to better protect the identity of workers if they want to improve their security posture.
“Our monitoring of more than 215 adversaries over the past year has given us visibility into the cyber threat landscape, which has grown in complexity and depth as threat actors rely on new tactics and platforms, such as abuse of valid credentials to attack the cloud and software. vulnerabilities”, he comments Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. “When it comes to stopping breaches, we can’t ignore the fact that adversaries are getting faster and employing tactics intentionally designed to evade traditional detection methods. Cybersecurity leaders must ask themselves if they have the solutions they need to stop an opponent’s lateral movement in just seven minutes.”.
The situation in the EMEA area
Limiting the analysis to the countries of the EMEA area, it is interesting to note that the technology sector is the main objective, worldwide, followed by finance and telecommunications. An interesting detail is how the attacks on the telco sector, which represent 10% of the total in this area, are mainly Attributed to Iran-nexus group (KITTEN)which is supposed to be related to Islamic Revolutionary Guard Corps, also known as “pasdaran”.
One detail that Fratucello highlights is the fact that today it is increasingly difficult to clearly distinguish between e-crime attacks, and therefore intended to monetize (usually through ransomware), and nation-type attacks. state, that is, sponsored by governments. This is because in the current geopolitical situation, some nations (North Korea, but not only) are conducting campaigns aimed not only at sabotaging opponents and stealing key documents, but also at monetizing these operations.
Here Comes CrowdStrike Counter Adversary Operations
The latest Crowdstrike security report was made by Operations against CrowdStrike adversaries.
The first active duty is Search for identity threats, an offering that is part of CrowdStrike Falcon OverWatch Elite and combines the latest intelligence on TTPs and adversary motivations, along with CrowdStrike Falcon Identity Threat Protection and CrowdStrike Falcon OverWatch’s elite threat hunting experts to thwart the latest attacks from identity. The new offering enables you to quickly identify and mitigate compromised credentials, track lateral movement, and stay ahead of adversaries with 24/7 always-on coverage. The service is available to new and existing CrowdStrike Falcon OverWatch Elite customers at no additional cost. .
“To defeat modern adversaries, threat intelligence teams must go beyond understanding the threat and respond quickly with threat hunting actions that neutralize the threat.“, Explain Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. “The new Counter Adversary Operations model not only brings together the best available insights and experience on global adversaries—gained from sophisticated threat intelligence, hands-on keyboarding, and trillions of telemetry events—but also makes front-line experts available quickly. defense against modern threats, to more effectively hinder adversaries“.