Cybersecurity technology provider CrowdStrike said in a report issued today that its Falcon OverWatch managed threat hunting unit saw a 40 percent year-over-year jump in “observed interaction intrusion volumes” for the year ended June 30.
The company said the report’s findings “relate specifically to interactive intrusion activity — that is, activity where a threat actor was operating with hands-on-keyboard in a victim environment,” and that its classification of “targeted adversaries” refers to “state-nexus adversaries.”
Discussing the 40 percent year-over-year increase in observed interaction intrusion volumes, the company said that “the overall distribution of interactive intrusion activity by threat type remained relatively constant this year compared to previous years.”
CrowdStrike also said the technology vertical – for the sixth year running – topped its list for the most frequently targeted vertical.
“The telecommunications vertical, which normally holds the second spot, was displaced this year by the financial vertical, which saw a spike in targeting,” the report says.
“In the past year, the volume of interactive intrusion activity against the financial services industry increased by over 80%,” the report says, adding, “Defenders in the financial industry should watch this trend closely, as the increased volume of activity is matched by an increased diversity of threats.” The report says that North Korean adversaries are the most aggressive state-sponsored adversaries to target the financial sector.
Other key findings from the report include:
- 80 percent of breaches use compromised identities. “The abuse of identity, particularly when coupled with creative defense evasion methodologies, enables adversaries to hide in plain sight,” the report says. “Despite identity being widely recognized as a growing security threat, the full spectrum of identity threats is not always well understood.”
- A nearly six-fold year-over-year increase in “Kerberoasting” attacks to escalate privileges and enable lateral movement within a victim’s environment. “Windows devices use the Kerberos authentication protocol, which grants tickets to provide users access based on service principal names (SPNs),” the report explains. “Kerberoasting specifically involves the theft of tickets associated with SPNs. These tickets contain encrypted credentials that can be cracked offline using brute-force methods to uncover the plaintext credentials.”
- 62 percent of interactive intrusions from foreign actors involved “the abuse of valid accounts, with 34 percent of intrusions specifically involve the use of domain accounts or default accounts.”
- A “160 percent increase in attempts to gather secret keys and other credential materials via cloud instance metadata APIs.” Further on the cloud front, the report says, “The rapid surge in demand for cloud services, along with the complexity of cloud management and controls, has led to a knowledge gap in properly securing these environments.” The firm added, “The nature of the attack surface has changed and presents significant security challenges for organizations with a cloud presence.”
Separately, the company announced the creation of its new CrowdStrike Counter Adversary Operations defensive unit, which unites its Falcon OverWatch and CrowdStrike Intelligence operations under a single umbrella. “Its mission is to use the collaborative power of hunting and intelligence to raise the cost of doing business for threat actors and give the adversary nowhere to hide,” CrowdStrike said.