Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/14/2020
02:25 PM
50%
50%

Attackers Increasingly Focus on Business Disruption

Network intruders are staying undetected for an average of 95 days, enabling them to target critical systems and more completely disrupt business.

More cyberattackers are targeting large companies with stealthier attacks, aiming to significantly disrupt businesses and force them to pay higher ransoms, according to a report summarizing more than 300 breach investigations.

The "CrowdStrike Services Cyber Front Lines Report" found that 36% of incidents aimed to disrupt business or operations. While companies are getting better at detecting attacks using their own people and systems —79% of attackers were discovered internally, the highest rate in three years — the number of days attackers went undetected increased to 95, up from 85 days in 2018, CrowdStrike found.

The result is that malicious attackers have more time to attack operations and cause more disruption, says Thomas Etheridge, vce president of services at CrowdStrike.

"Not all of these threat actors are deploying ransomware, but they were really focused on disrupting the business' ability to perform business," he says. "That disruption was behind higher ransom amounts and the decision to often pay the ransom."

The report's findings highlight how last year's steady beat of ransomware headlines became a trend. From the coordinated attacks on Texas towns to a focus on local school districts, reports of ransomware attacks exploded in 2019. While successful attacks have decreased in number by some accounts, attackers are focusing on larger targets and threatening to do greater damage. Called "big-game hunting" by many firms, the revised strategy is about minimizing effort and maximizing the profit from criminal activity.

"That type of access that the attacker has, it really gives them the flexibility to understand where the critical data assets are, what approach they are going to take to encrypt those assets, where the backups are stored — and that really puts the customer at a disadvantage," Etheridge says.

While the increase in disruptive attacks is the main theme of CrowdStrike's report, a number of other trends are highlighted as a well. The company found, for example, that a legitimate tool for scanning Active Directory stores, known as Bloodhound, had been co-opted by attackers to speed their movement across networks. 

The company also urged companies to better secure their cloud services, especially infrastructure-as-a-service (IaaS) infrastructure. Attackers are already targeting API keys, which are used to allow programs to access and incorporate features from the cloud.

"Static keys pose a significant risk because they allow enduring access to large amounts of often sensitive data," the report states. "Instead, use ephemeral credentials for automated cloud activity and enforce the usage of these credentials only from authorized IP address space."

Finally, Macs are now on the menu for attackers, CrowdStrike says.

"The increasing popularity of macOS systems in organizations, combined with insufficient macOS endpoint management and monitoring, have made Macs lucrative targets for threat actors," the report states. "Once inside a victim environment, the Services team has observed threat actors leveraging legitimate user credentials and native macOS utilities to move laterally and persist there while evading detection."

In terms of disruptive attacks, the manufacturing sector found itself most often successfully targeted by ransomware and other business-disrupting malware, according to CrowdStrike's report. Healthcare had the second highest number of disruptive incidents, followed by government organizations and information-technology companies.

Attackers often used spear-phishing attacks for the initial compromise, the company found. In just over a third of cases (35%), spear-phishing e-mails or messages gave attackers initial access to the victim's systems. Attackers also sought out legitimate credentials to allow them to move around networks. Collecting credential dumps and attempting to discover accounts were the No. 1 and No. 3 attack techniques.

Companies that deploy a handful of defenses could fend off many of the attacks detected by CrowdStrike. Multifactor authentication on all public-facing portals, for example, will prevent attackers from gaining easy access through stolen credentials. Network segmentation helps prevent attackers from easily moving around a network following a compromise. 

"These methods can help organizations improve their security posture," Etheridge says. "Organziations are better able to self-detect the attackers in their environment, so we expect attackers to continue to use more stealthy techniques to increase their dwell time."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: They said you could use Zoom anywhere.......
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13285
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issue reference number tooltip.
CVE-2020-16087
PUBLISHED: 2020-08-13
An issue was discovered in Zalo.exe in VNG Zalo Desktop 19.8.1.0. An attacker can run arbitrary commands on a remote Windows machine running the Zalo client by sending the user of the device a crafted file.
CVE-2020-17463
PUBLISHED: 2020-08-13
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
CVE-2019-16374
PUBLISHED: 2020-08-13
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
CVE-2020-13280
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.