Cyber criminals spend three months lurking in target networks
Cyber criminals are spending longer hiding in target networks before launching their attacks, as more organised groups turn to business disruption to achieve their objectives
Hackers spent an average of 95 days moving around inside business networks before launching their attacks in 2019, up 10 days on 2018, as increasingly organised criminal groups become adept at hiding their activities from defenders in targeted attacks.
This was just one of a swathe of findings contained within cloud-delivered endpoint security provider CrowdStrike’s 2019 services report – a look back at some of the overarching trends of the past 12 months that offers some clues as to how the threat landscape is evolving as we head into the 2020s.
Before the new year ticker tape and balloons had even been cleared up, the first big cyber attack of 2020 was already underway, with indicators suggesting that the ongoing Travelex ransomware crisis was just such a targeted attack, that may have begun many months ago through a VPN vulnerability.
CrowdStrike said it saw a significant number of breaches by targeted adversaries that gained initial access more than 12 months before discovery and, in a handful of cases, more than three years. The firm said this clearly showed a need for better visibility and proactive threat hunting. It also indicated that, in some cases, state-sponsored threat actors were deploying countermeasures that let them stay hidden for longer, especially in organisations foolish enough to continue to use legacy security.
“As adversaries are stealthier than ever, with new attack vectors on the rise, we must remain agile, proactive and committed to defeat them”
Shawn Henry, CrowdStrike Services
While inside the network, threat actors may take any number of actions. In a ransomware attack such as that experienced by Travelex, they may explore the target’s backups and find out how they are organised so that they can encrypt live systems and backups. This will significantly increase their leverage over the target, and the potential for a successful attack, because the victim will be unable to ignore their demands and restore their systems. It should be noted that at the time of writing, there is no indication that Travelex’s backups have been encrypted.
“The 2019 services report offers organisations valuable takeaways to increase proactive security measures aimed at creating a more cyber resilient environment. As adversaries are stealthier than ever, with new attack vectors on the rise, we must remain agile, proactive and committed to defeat them. They still seek the path of least resistance – as we harden one area, they focus on accessing and exploiting another,” said Shawn Henry, chief security officer and president of CrowdStrike Services.
“The report offers observations into why ransomware and business disruption dominated headlines in 2019 and gives valuable insight into why issues with adversarial dwell time remain a problem for businesses around the world. Strong cyber security posture ultimately lies within technology that ensures early detection, swift response and fast mitigation to keep adversaries off networks for good.”
Criminals collaborating
The past 18 months or so have also seen a notable trend towards collaboration among threat groups to engage in “big game hunting” attacks that focus on high-value data and assets inside large organisations that are more sensitive to downtime. Such attacks, usually involving ransomware, have become extremely lucrative for groups such as Wizard Spider, Indrik Spider and Doppel Spider, the non-state-affiliated groups behind some of the more popular strains of malware.
Often, said CrowdStrike, one group will provide initial access to a target environment using Emotet, from which point access is transferred to a different group that may use Ryuk or Dridex. CrowdStrike said such collaboration permitted the various actors involved to be more effective and the attack more lucrative.
The growing “professionalism” of the cyber criminal underworld was evident throughout the report. CrowdStrike revealed that 36% of the incidents it had investigated in the past 12 months were caused by ransomware, destructive malware or denial of service attacks, which would seem to suggest an emphasis on targeted business disruption rather than opportunistic attacks.
CrowdStrike’s researchers found that third-party compromises, where target networks are hacked through their service providers, increasingly served as a force multiplier. Attackers are also turning their attention to cloud infrastructure, with exploitation of application programming interface (API) keys for public clouds on the rise. The researchers also revealed that environments running Apple’s macOS are now no longer the safe bet they have been in the past, with a rise in living off the land attacks targeting them, taking advantage of less widely used security tools than exist on Windows systems.
