According to a new CrowdStrike report, the technology, professional services, and hospitality sectors were targeted most often by cyber adversaries. The actors used a variety of novel tactics, demonstrating particular creativity and perseverance in defense-evasion and credential-access TTPs such as the use of Windows Internal tool, Active Directory Explorer, for one-time credential dumping.
Notable percentages of intrusion cases by vertical include:
- Technology: 36%
- Professional Services: 17%
- Hospitality: 8%
- Defense and Federal: 7%
- Non-governmental Organizations: 7%
“Today’s adversaries are persistent in their mission to target and infiltrate all types of industries. Organizations can no longer rely on reactive approaches to stay protected. Instead, they need to start with an assumption that someone might have already breached the perimeter and proactively hunt for them 24/7/365 on systems,” said Dmitri Alperovitch, CrowdStrike’s CTO.
Uptick in Chinese targeting
Researchers identified China as the most prolific nation-state threat actor during the first half of 2018. Data shows that Chinese adversaries have made targeted intrusion attempts against multiple sectors of the economy, including biotech, defense, mining, pharmaceutical, professional services, transportation, and more.
eCrime actors are increasing interest in cryptocurrency mining
CrowdStrike identified multiple intrusions against victims in the legal and insurance industries where criminal perpetrators gained privileged access to internal networks. In these cases, adversaries pursued post-exploitation financial gain by deploying cryptocurrency miners and employed techniques that allowed them to perform extensive lateral movement, creating as large a foothold as they could to commandeer resources for mining.
Increased targeting of the biotechnology industry
Researchers observed continued targeted adversary interest in the biotechnology industry vertical, with industrial espionage likely being the motivation behind multiple attacks. The tactics observed usually occurred from adversaries looking to maintain an ongoing data collection effort against organizations in the sector.
Continued blurred lines
A key theme noted in the CrowdStrike 2017 Global Threat Report was the blurring of lines between the TTPs of highly skilled nation-state adversaries and their criminally motivated counterparts. That trend continued as researchers saw less skilled criminal actors adopt more advanced TTPs used by well-known nation-state actors.
One of the key metrics that CrowdStrike tracks for all intrusions it identifies is “breakout time” – the time that it takes an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. The current average breakout time is 1 hour and 58 minutes, which means that if defenders are able to detect, investigate and remediate the intrusion within 2 hours, they can stop the adversary before they can cause serious damage.
They recommend that all organizations adopt the 1-10-60 rule:
- Strive to detect a threat in 1 minute on average.
- Investigate the detection in 10 minutes.
- Remediate and contain the attack in 1 hour.