Attackers are getting quicker. New research reveals they have shaved a few more minutes off of the time they need to transition from gaining initial access to a system, to their attempt to attack other devices on the same network.
CrowdStrike finds the average intrusion required 79 minutes after initial compromise before launching an attack on other systems on a network. That's down from 84 minutes in 2022. CrowdStrike's 2023 Threat Hunting Report, published on Tuesday, also reveals the fastest time was seven minutes between the initial access and attempts to extend the compromise, based on more than 85,000 incidents processed in 2022.
An attacker's main goal is to move to other systems and establish a presence in the network, so that even if incident responders quarantine the original system, the attacker can still come back, says Param Singh, vice president of CrowdStrike's OverWatch security service. In addition, attackers want to gain access to other systems via legitimate user credentials, he says.
"If they become the domain controller, that's game over, and they have access to everything," Singh says. "But if they cannot become domain admin, then they will go after key individuals who have better access to [valuable] assets ... and try to escalate their privileges to those users."
The breakout time is one measure of an attackers' agility when compromising corporate networks. Another measure defenders use is the time it takes between the initial compromise and detection of the attacker, known as dwell time, which hit a low of 16 days in 2022, according to incident response firm Mandiant's annual M-Trends report. Together, the two metrics suggest that most attackers quickly take advantage of a compromise and have carte blanche for more than two weeks before being detected.
Interactive Intrusions Now the Norm
Attackers have continued their shift to interactive intrusions, which grew by 40% in the second quarter of 2023, compared to the same quarter a year ago, and account for more than half of all incidents, according to CrowdStrike.
The majority of interactive intrusions (62%) involved the abuse of legitimate identities and account information. The collection of identity information also took off, with 160% increase in efforts to "collect secret keys and other credential material," while harvesting Kerberos information from Windows systems for later cracking, a technique known as Kerberoasting, grew by nearly 600%, the CrowdStrike Threat Hunting report stated.
Attackers are also scanning repositories where companies accidentally publish identity material. In November 2022, one organization accidentally pushed its root account's access key credentials to GitHub, eliciting a quick response from attackers, CrowdStrike said.
"Within seconds, automated scanners and multiple threat actors attempted to use the compromised credentials," the report stated. "The speed with which this abuse was initiated suggests that multiple threat actors — in efforts to target cloud environments — maintain automated tooling to monitor services such as GitHub for leaked cloud credentials."
Once on a system, attackers use the machine's own utilities — or download legitimate tools — to escape notice. So-called "living off the land" techniques prevent detection of more obvious malware. Unsurprisingly, adversaries have tripled their use of legitimate remote management and monitoring (RMM) tools, such as AnyDesk, ConnectWise, and TeamViewer, according to CrowdStrike.
Attackers Continue to Focus on Cloud
As companies have adopted cloud for much of their operational infrastructure — especially following the start of the coronavirus pandemic — attackers have followed. CrowdStrike observed more "cloud-conscious" attacks, with cloud exploitation nearly doubling (up 95%) in 2022.
Often the attacks focus on Linux, because the most common workload in the cloud are Linux containers or virtual machines. The privilege escalation tool LinPEAS was used in three times more intrusions than the next most commonly abused tool, CrowdStrike said.
The trend will only accelerate, CrowdStrike's Singh says.
"We are seeing like threat actors becoming more cloud aware — they understand the cloud environment, and they understand the misconfigurations typically seen in cloud," he says. "But the other thing that we are seeing is ... the threat actor getting into a machine on the on-prem side, and then using the credentials and everything to move to cloud ... and cause a lot of damage."
Separately, CrowdStrike announced that it plans to combine its threat-intelligence and threat-hunting teams into a single entity, the Counter Adversary Operations group, the company said in a press release on August 8.