Threat hunting report reveals prolific adversary trends and tactics

2019 Mid-year OverWatch report provides insights into massive uptick in eCrime cyber activity; retail comes back as one of the top targeted industries this year.

  • 5 years ago Posted in

CrowdStrike has released the Falcon OverWatchTM 2019 Mid-Year Report: Observations From the Front Lines of Threat Hunting. The report is comprised of threat data from CrowdStrike Falcon OverWatch, CrowdStrike’s industry-leading managed threat hunting team. The annual report details several of the sophisticated intrusions the team has encountered and provides insights into notable targeted, state-sponsored and criminal campaigns the team investigated during the first half of 2019. The report also includes information on key trends in adversary activity and offers recommendations for defending against the prevalent tools, techniques and procedures (TTPs) attackers are using.

As Gartner states in the 2019 Magic Quadrant for Endpoint Protection Platform i, “The skills requirement of EDR solutions compounded by the skills gap in most organizations is an impediment to the adoption of EDR in the mainstream market. As a result, product vendors are increasingly offering a fusion of products and services ranging from light incident response and monitoring through full managed detection and response and consultative incident response services.” OverWatch is comprised of an elite team of cross-disciplinary specialists that offer customers full managed detection and response, harnessing the massive power of the CrowdStrike Falcon® platform’s cloud-native architecture to gain rapid visibility into the CrowdStrike Security Cloud community. Armed with massive datasets collected and analyzed by CrowdStrike Threat Graph,® combined with contextualized threat intelligence, CrowdStrike’s team of threat hunters continuously tracks, investigates and stops sophisticated threat activity in customer environments.

With CrowdStrike’s industry-leading cloud-scale telemetry of over two trillion endpoint events collected per week and detailed tradecraft on more than 120 adversary groups, OverWatch provides organizations with the comprehensive ability to see and stop the most sophisticated breaches.

“Over the first half of 2019, OverWatch has regularly observed attackers using valid accounts to access compromised endpoints. Upon entry, we’ve seen both eCrime and nation-state actors maintain a strong foothold in networks through the use of stealthy tactics. It’s obvious that attackers are continuing to ramp up in both their brazen behavior and sophisticated means,” said Jennifer Ayers, vice president of OverWatch and Security Response. “In the continually changing IT environment, where end users are no longer behind the VPN, it’s critical for organizations to adopt modernized threat prevention to defend against more sophisticated threats that go beyond malware with fileless attacks, zero-days and other advanced techniques.”

 

Some of the most notable report findings include:

  • A massive uptick in targeted intrusions from eCrime adversaries. OverWatch has seen a large increase in intrusion activity from eCrime actors in the first half of 2019, accounting for the majority of detected intrusions. This is in stark difference from last year, but does not indicate a reduction in state-sponsored activity overall. Rather, it reflects a continued shift in eCrime adversary behavior to focus more on leveraging nation-state style intrusions versus targeted spray and pray attacks in pursuit of more and larger payouts.
  • Retail replaces hospitality as one of the top ten targets within the first half of 2019. A quiet player in the past, a clear focus has moved this industry to one of the most lucrative targets. eCrime campaigns, and in particular, ransomware, overall are on the rise and the retail vertical has received a significant share of new attention from eCrime actors.
    • Other industries such as technology, telecommunications, financial and Non-governmental organizations (NGOs) remain some of the most highly targeted verticals in both 2018 and 2019.
  • China remains one of the most active adversaries. Similar to prior years, Chinese nation-state adversaries were the most active out of all the nation-state actors observed so far this year. CrowdStrike has observed China target the most industries across the board including chemical, gaming, healthcare, hospitality, manufacturing, technology and telecom.

 

As we move into the latter half of 2019, OverWatch continues to observe targeted adversaries employ creative techniques to avoid detection and perform actions on objectives. The threat hunting endpoint data collected via the cloud-native technology of the Falcon platform provides invaluable information and actionable insights to identify sophisticated adversaries, the TTPs they employ, and the evasion techniques they commonly turn to. It’s imperative that organizations looking to increase their security hygiene deploy threat hunting teams to rapidly detect, investigate and remediate intrusions.

For additional information, read a blog from the OverWatch team: Observations From the Front Lines of Threat Hunting.

Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
73% of organizations lack automated patch management, and 62% experienced incidents involving...
Quest Software has signed a definitive agreement with Clearlake Capital Group, L.P. (together with...
Dell EMC PowerProtect Cyber Recovery for AWS provides a fast, easy-to-deploy public cloud vault to...
Aqua’s cloud native application protection platform becomes the only solution that protects cloud...
54% of organisations working on a security transformation project now or in the next 12 months.
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Zscaler Zero Trust exchange cloud-based architecture enables superior green security capabilities...