CrowdStrike is proud to announce the launch of CrowdStrike Counter Adversary Operations, a newly formed, first-of-its kind team that brings together CrowdStrike Falcon® Intelligence and the CrowdStrike® Falcon OverWatch™ threat hunting team to disrupt today’s adversaries and ultimately raise their cost of doing business.
Both threat hunting and intelligence operations are essential to detect, disrupt and stop today’s adversaries. CrowdStrike Counter Adversary Operations will have the power of both — along with the trillions of telemetry events from the AI-powered CrowdStrike Falcon® platform — to quickly act and intensify its impact on adversary activity. CrowdStrike’s deep adversary knowledge, expertise in pursuing and stopping threats, and visibility derived from the Falcon platform make us uniquely qualified to deliver the most effective method of stopping breaches and protecting customers.
Today’s adversaries are increasingly fast and elusive, with quickly changing motives and tactics. The tradecraft CrowdStrike sees in the wild is, far too often, bypassing legacy and even modern security measures. CrowdStrike Counter Adversary Operations represents a new model for the security industry that brings together the best adversary insight and expertise, and puts this information in the hands of teams on the front lines so they can disrupt adversaries faster than ever before.
There has never been a greater need for threat hunting and intelligence to come together, as evidenced by Nowhere to Hide: CrowdStrike 2023 Threat Hunting Report. This report, the first to be published under the CrowdStrike Counter Adversary Operations unit, provides a comprehensive look at the evolving techniques of today’s adversaries.
Nowhere to Hide: A Closer Look at Modern Adversary Activity
The CrowdStrike 2023 Threat Hunting Report, now in its sixth edition, is the culmination of 12 months of proactive and intelligence-informed threat hunting. Our threat hunters and intelligence analysts observed a massive jump in identity-based intrusions, evolving expertise in cloud-focused attacks, and a breakout time of 79 minutes — a new all-time low and decrease from the 84 minutes recorded in 2022.
A standout theme of the report is adversaries’ persistent focus on identity: Our experts observed a 583% increase in Kerberoasting attacks, a technique adversaries can use to obtain valid credentials for Active Directory service accounts. These often provide attackers with higher privileges and allow them to lurk undetected in victim environments for longer stretches of time.
This wasn’t the only statistic indicating identity is a hot target: 62% of all interactive intrusions involved the abuse of valid accounts, and there was a 160% increase in attempts to collect secret keys and other credentials through cloud instance metadata APIs. Access broker advertisements, which often offer ready access to valid accounts, increased by 147% in criminal and underground communities.
Adversaries are also leading the charge in cloud know-how, navigating cloud environments with a level of skill and confidence often unmatched by enterprise security teams. CrowdStrike observed a threefold increase in the use of linPEAS, a Linux privilege escalation tool quickly gaining popularity among adversaries operating in the cloud. This finding, combined with the 95% jump in cloud exploitation and threefold increase in cases involving cloud-conscious threat actors, underscores the critical need for organizations to prioritize securing their cloud environments.
Other notable findings include a 312% year-over-year increase in adversaries using legitimate remote monitoring and management (RMM) tools to evade detection and blend in with a target environment, and a stunning 80% increase in interactive intrusions targeting the financial sector.
The data is clear: Adversaries are relentlessly seeking new ways to broaden their reach, optimize their tradecraft and deepen their impact across operations, using tactics intended to bypass legacy security products using traditional detection methods. As they demonstrate greater proficiency and speed in targeting organizations, it is imperative that defenders stay one step ahead to proactively identify and stop their activity.
Counter Adversary Operations’ First New Offering: Identity Threat Hunting
In response to the evolving sophistication of adversary tradecraft and identity-based attacks CrowdStrike is seeing in the wild, Counter Adversary Operations is introducing its first new offering: CrowdStrike® Falcon OverWatch™ Elite Identity Threat Hunting.
This offering, immediately available as part of CrowdStrike® Falcon OverWatch™ Elite, brings together the latest intelligence on adversary motives, tactics, techniques and procedures, and combines this data with CrowdStrike Falcon® Identity Threat Protection and the elite Falcon OverWatch threat hunters. This combination makes it possible to quickly identify and remediate compromised credentials, track lateral movement and stay ahead of adversaries with 24/7 coverage.
At a time when adversaries have their sights set on identities, Falcon OverWatch Elite Identity Threat Hunting brings organizations peace of mind with an always-on service to help them outpace current and emerging threats. This offering is available to new and existing CrowdStrike Falcon OverWatch Elite customers at no additional cost.
And there’s more to come: Falcon OverWatch Elite Identity Threat Hunting is the first of many accelerated innovations from Counter Adversary Operations. This offering and future capabilities will close the loop between the discoveries CrowdStrike researchers make in the wild and new customer-focused innovations to come in the Falcon platform.
Leave a Reply