Speaking at the recent Pentana Solutions Top Gear Live two-day virtual interactive event, cyber security intrusion researchers on the Falcon Overwatch team at CrowdStrike, Jai Minton and Tom Simpson, said that threat hunters at the company uncovered 77,000 attempted intrusions over the course of just 12 months. 

“That works out to an average of one every seven minutes,” they said.

They said that one third of intrusions are by nation state actors like China, North Korea, Iran and Russia trawling for intelligence, spying on their nationals, conducting espionage or stealing intellectual property.

In the presentation, called Every Second Counts, Mr Minton said that the big increase in adversarial activities “tells us that adversaries aren’t slowing down, and they are going to continuously break into organizations to achieve their objectives”.

He said a bad sign was that “71 per cent of all of these intrusions were malware free. They didn’t use any viruses at all”. 

“They’re using legitimate credentials; your username, passwords or whatever they can in order to achieve their objectives without trying to tip off any antivirus products that may be present.”

Mr Milton said that “adversaries are increasingly operating with multiple sets of valid credentials. 

“Either they received them (the credentials) from a previous intrusion or they purchased them off the dark web. And that is really allowing these adversaries to laterally move with ease throughout organizations. We are seeing that (trend) in 60 per cent of all the intrusions over the past 12 months.

“So these adversaries are hiding in plain sight. 

“When you consider that 71 per cent didn’t use any malware and 60 per cent were using a valid username and password or any other kind of credentials, that’s a huge risk to environments to be able to detect and eject these adversaries in a timely manner.” 

In another trend, the “breakout time” that intruders were taking from the point at which they establish a “beachhead” in a target system to finding access to another asset or another host within the target environment is also getting shorter.

Mr Simpson said: “e-crime has really been picking up the pace.  The average breakout time has reduced by 14 minutes to one hour and 24 minutes. And we’ve actually seen a minimal breakout time of only four minutes. So the adversary got access to a host and moved towards a separate host within four minutes”.

He said they were also seeing an increasing prevalence of intrusions “living off the land”; using tools that are provided within a computer’s operating system to break in.

“They (the tools) are already there on every single computer that you go to … and they use them because they can blend in like a legitimate administrator or someone who is just doing something normal within an environment so they can hide amongst all of that activity.

CrowdStrike outlined three different types of threats: 

e-crime: Financially-motivated criminals who may deploy ransomware or may deploy cryptocurrency miners to get a financial gain from the organizations that they have intruded into. Apart from financial loss, the loss of access to business systems can cause “huge reputational damage”. e-crime accounted for 50 per cent of all intrusion activity against the automotive industry last year.

State actors: “Adversaries that are state or country-backed intruders that have real goals to try to commence cyber espionage or information gathering or other really-targeted attacks against organizations and individuals (including students and staff in academia); generally to support a regime or country’s government”.

Hacktivist: “People who didn’t necessarily want to make money. They were not there to steal information for some sort of nation state actor. They just had some sort of ethical or political agenda that they wanted to try to promote by hacking into these businesses”. 

Mr Simpson said that adversaries are increasingly using shared tactics and techniques with other adversaries.

By John Mellor