Attackers are increasingly taking a hands-on approach to network intrusions, usually avoiding using malware; they have also reduced the time it takes to move from an initial compromise to infecting other systems in a network.
That's according to cybersecurity services firm CrowdStrike, which found in a report published Tuesday that both targeted attacks and interactive intrusions have increased overall. For the 12 months ending in June, targeted attacks accounted for 18% of all attacks, up from 14% for the prior 12 months, according to the firm's telemetry.
Attackers also focused on interactive intrusions that take a hands-on approach to compromises, with an almost 50% increase in such attacks, the company found. Unsurprisingly, the increase in hands-on attacks meant less reliance on malware — 71% of all events detected by CrowdStrike indicated malware-free activity, the company said.
The technology sector continued to be the focus of the most attacks, with nearly 20% of attacks targeting the industry sector, while telecommunications became the second most targeted at 10%, and manufacturing accounting for about 8% of attacks. Cybercriminal attacks accounted for 43% of all security incidents investigated by CrowdStrike, the firm stated in the report.
A Rise in Nation-State Cyberattacks
The shifts in cyberattacker tactics have come from specialized cybercrime offerings and an increase in nation-state attacks, says Param Singh, vice president of CrowdStrike's Falcon OverWatch group.
"This surge is being driven in part by the evolving e-crime landscape which has seen an unprecedented number of new criminally motivated adversary groups emerging and joining the fold in an attempt to capitalize on the lucrative opportunities for financial gain," he says. "Additionally, there has been a prolonged rise in targeted intrusion activity on the part of state-based adversaries in response to the evolving geopolitical landscape and global macro events."
More compromised credentials and more services means that adversaries are able to quickly choose vulnerable systems and gain access essentially on demand, which leads to faster breakout times, he says. At the same time, because advanced actors can use the same access-for-service tools, they are able to gain a beachhead and interactively hack their victim.
A shorter breakout time would normally suggest that attackers are using more automation, but CrowdStrike's threat hunters found that attackers are using interactive hacking more often. There are two separate trends at play, says Singh.
"[T]he ongoing surge in ransomware-as-a-service and affiliate networks along with increasing prevalence of access broker activity all adds up to one thing: a lower barrier to entry for criminally motivated adversaries," Singh says. "In practice, this translates to adversaries being able to operationalize an attack and both gain initial access easier and move laterally to additional hosts faster than previously seen."
CrowdStrike pointed toward the Russia-Ukraine conflict as one factor for the growth in targeted attacks, but China remains the most prolific attacker, according to the company's data.
"A look back at the numerous geopolitical and macro global events that have taken place have shown both China and Russia to be outspoken," Singh says. "While a greater proportion of attributable malicious activity has been linked back to China-nexus adversaries, it is our assessment that Russian adversaries continue to operate. However, it is possible that this activity currently falls under the unattributed category of intrusions."
Meanwhile, the share of detected security incidents that remain unattributed continues to be high. In the 12 months ending June 2022, 38% of intrusion campaigns could not be positively attributed to a specific group, about the same (39%) as the previous 12 months.
"[T]here are often few identifiable artifacts or examples indicative of tradecraft to investigate, which prevents high-confidence attribution," CrowdStrike stated in the report. "This issues is compounded by the continued blurring of the lines between eCrime and targeted intrusion tradecraft and tooling, which also curtails high-confidence attribution."
To keep up with attackers' speed and break their chain of attack, defenders need to both deploy technology-based controls and use human-based threat-hunting services to catch signs of attackers and subvert their automated attacks and hands-on hacking.
"When it comes to breaking that chain, the reality is that adversaries are moving faster, in some cases in mere minutes," Singh says. "Pairing this observation with the increasing proliferation of compromised account usage with the diminishing reliance on malware means defenders must extend their defensive capabilities beyond technology alone."