Hard-hitting insights into global attacks targeting organizations

After collecting and analyzing data, based on a comprehensive review of incident response investigations conducted over the past three years on behalf of organizations across various industries, CrowdStrike is offering key takeaways on emerging trends in cyber intrusions and notable adversary tactics, techniques, and procedures (TTPs).

Highlights and key findings:

Operating under attack is the new normal
Nearly all affected organizations experienced almost immediate reinfection attempts. On average, adversaries engage in aggressive infection reattempt efforts within two days of remediation efforts.

Organizations need to defend against multiple concurrent attackers
In a quarter of the examined cases, CrowdStrike identified multiple distinct adversary teams operating in the victim environment. Defending against multiple adversaries carrying out concurrent attacks within an enterprise environment requires development of advanced surveillance capabilities and an ongoing, evolving understanding of attacker tradecraft, motivations and tool sets.

Self-detection is gaining with 57% of organizations discovering breaches internally
CrowdStrike has seen a marked increase in the number of organizations self-detecting breaches, far above what has been previously reported. We attribute this to two factors: organizational maturity and improved endpoint and network detection technology.

Compromised accounts used sparingly, making detection more difficult
Adversaries are leveraging stealthier, often malware-free intrusion tactics and are becoming more cautious about account usage to remain unnoticed for as long as possible.

Credentials are a critical tactic
The most common goal of attackers upon initial entry into the network is to secure domain and enterprise credentials to maximize chances of staying unnoticed and moving laterally across the environment.

Experienced staff and mature processes are defining factors of a rapid breach recovery
The review of CrowdStrike investigations found wide variation in the duration of investigations. The biggest factors determining the length and breadth of engagements revolved around the maturity of processes and people responsible for security, visibility, and response activities at the enterprise site. Established relationships with external service providers and internal stakeholders such as IT, Legal, and Operations also are precursors to success.

“Organizations need to stay cognizant of emerging trends and changing adversary tactics to effectively detect breaches and minimize the impact that cyber attacks have on the integrity and safety of their assets,” said Wendi Whitmore, Vice President of CrowdStrike Services. “Today, staying ahead of the adversary requires implementation of advanced detection capabilities and an ongoing, evolving understanding of attacker tradecraft, motivations and toolsets.”