lolloj - Fotolia
These tactics and methods include fileless malware and “living off the land” techniques involving processes native to the Windows operating system, such as PowerShell and Windows Management Instrumentation (WMI).
Many incidents have also used anti-forensics tools and methods in an effort to erase signs of their presence and increase the time they are able to explore the network before they are detected, commonly known as “dwell time”.
Brute force attacks on remote desktop protocol (RDP) servers are also prevalent in these cases, according to the report, which highlights two other trends that businesses need to be aware of.
The second trend emerging from IR cases in the past year is that self-propagation techniques have added a new twist to ransomware and destructive attacks, and consequently increased their ability to paralyse targeted organisations.
Destructive malware preys on weak security
Previously, an infection generally required some sort of user intervention, but now CrowdStrike investigations are seeing malware variants that employ techniques designed to spread once a system is infected.
Victim organisations worldwide experienced the repercussions of failing to keep critical systems up to date and relying on ineffective legacy security technologies.
The third trend revealed by the CrowdStrike IR cases is that as companies accelerate their migration to the cloud, the risks and attacks follow.
Gartner predicts that by 2020, 95% of cloud security failures will occur due to customer oversights or neglect. Compromised credentials and misconfigured applications are just two examples of security risks in the cloud, whether private or public.
Regardless of whether an organisation chooses to host IT infrastructure in a public or private cloud, CrowdStrike said preparation was essential to prevent or respond to the eventual attacks that occur in cloud environments.
These trends, the report said, make it clear that any organisation relying primarily on traditional security measures and tools, such as signature-based antivirus or firewalls, would not be able to detect or fend off determined, sophisticated threat actors.
Detect breaches and act fast
As attackers become more brazen and their attack techniques continue to evolve, the report recommends that organisations must likewise evolve their security strategies to proactively prepare for the next attack.
However, the report found that organisations continue to improve their ability to self-detect breaches. Of the clients CrowdStrike Services worked with in the past year, 68% were able to internally detect a breach, which represents an 11% increase over the previous year.
This improvement, the report said, reflects organisations’ overall efforts to continue maturing their security postures while investing in security tools and resources to detect attacks, including endpoint detection and response (EDR) tools.
In some extreme cases, the CrowdStrike IR team saw dwell times of between 800 and 1,000 days. The report notes that automated systems may eventually detect an intrusion, but by the time human staff are alerted and aware it is often too late.
How is malware getting in?
Across the IR cases handled by the CrowdStrike team, the most prevalent ways attackers first gained a foothold in a target environment was web server, web application, web shell exploits or file uploaders (37%), remote access (23%), supply chain compromise (12%), social engineering such as phishing (11%), cloud-based service exploits and attacks against externally accessible email portals or other unauthorised access (11%), and reconnaissance only or other (6%).
Malware-free attacks made up the majority of attacks (66%). CrowdStrike defines malware-free attacks as those where the initial tactic did not result in a file or file fragment being written to disk. Examples include attacks where code executes from memory or where stolen credentials are used for remote logins.
Attackers can also exploit inherent weaknesses in the client IT infrastructure, which present intrusion opportunities for attackers who do not want to leave traces of their intrusion, the report said.
Fileless attack examples include using remote tools such as RDP or a virtual private network (VPN) with compromised credentials, executing code from memory, using phishing and social engineering to harvest credentials, and using inherent weakness in a client’s IT stack, such as the Apache Struts vulnerability that allows malignant XML to be fed to a Struts server, as reportedly happened in the Equifax breach.
The most prevalent attack objectives identified by the CrowdStrike IR team are intellectual property (IP) theft, theft of funds, theft of personally identifiable information (PII), and ransom or extortion.
The organisations CrowdStrike Services works with vary in size and represent a wide range of industry sectors – the data clearly shows that no organisation is immune to cyber intrusions and all must prepare to defend against the next attack.
According to CrowdStrike, the case studies detailed in the report share several common traits that security stakeholders in any organisation should be mindful of as they continually evaluate the staff, processes and technology they have put in place for security resilience:
- Threat actors have many attack vectors to exploit, which requires a multi-faceted approach to security planning and strategy.
- Resiliency in the face of ever-changing attacker tactics requires new means to detect and prevent attacks because traditional signature-based antivirus endpoint offerings will not stop advanced intrusion methods, many of which are now fileless and execute from memory or utilise known system processes.
- Ensure vulnerabilities are patched quickly and effectively.
- Account management and access control remain critical pieces of an overall security posture. Know what resources user accounts can access, what permissions they possess and prevent unauthorised network and application access with two-factor authentication.