CrowdStrike’s Falcon OverWatch threat hunting report reveals a record 50% year-over-year increase in hands-on cyberattack attempts — and distinct changes in related trends and adversary tactics.
The fourth annual report, Nowhere to Hide: 2022 Falcon OverWatch Threat Hunting Report, examines global threat hunting operations from July 1, 2021 through June 30, 2022. The report offers in-depth attack data and analysis, case studies and actionable recommendations.
CrowdStrike, an endpoint protection platform provider, identified more than 77,000 potential intrusions — approximately one every seven minutes. These are instances where proactive, human-led threat hunting uncovered adversaries actively carrying out malicious techniques at various stages of the attack chain, despite attackers’ best efforts to covertly evade autonomous detection methods, the report states.
Breakout Time Falls
The report examines the time, on average, it takes an adversary to move laterally from initial compromise to other hosts within the victim environment. In fact, the “breakout” time fell to one hour and 24 minutes, compared to one hour and 38 minutes as reported in the 2022 CrowdStrike Global Threat Report.
Falcon OverWatch found that in 30% of cybercrime incidents, the threat actor was able to move laterally in under 30 minutes. These findings, says Falcon OverWatch, underline the speed and scale at which threat actors evolve their tactics, techniques and procedures (TTPs). Correspondingly, they are capable of bypassing even the most sophisticated technology-based defense systems to successfully achieve their goals, the report states.
Param Singh, vice president of Falcon OverWatch at CrowdStrike, put the report findings into perspective:
“Over the past 12 months, the world has faced new challenges spurred by economic pressures and geopolitical tensions, backdropping a threat landscape that is as complicated as ever. To thwart brazen threat actors, security teams must implement solutions that proactively search for hidden and advanced attacks every hour of every day.”
Top Attack Targets Identified
Other key findings from the report include:
- eCrime is the top threat type for interactive intrusion campaigns. eCrime accounted for 43% of interactive intrusions, while state-nexus actors accounted for 18% of activity. Hacktivists accounted for just 1% of interactive intrusion campaigns, with the remaining intrusions unattributed.
- Adversaries continue shifting away from malware. Malware-free threat activity accounted for 71% of all detections indexed by the CrowdStrike Threat Graph. The predominance of malware-free activity is related, in part, to adversaries’ prolific abuse of valid credentials to facilitate access and persistence in victim environments. Another factor is the rate at which new vulnerabilities are being disclosed and the speed with which adversaries can operationalize exploits.
- Technology is the top industry targeted for interactive intrusions. The top five industries targeted overall were technology (19%), telecommunications (10%), manufacturing (7%), academic (7%) and healthcare (7%). Technology was targeted 90% more frequently by interactive intrusions than the second-most targeted industry.
- Telecommunications is the top industry for targeted intrusions by nation-state actors. The top five industries targeted overall were telecommunications (37%), technology (14%), government (9%), academic (5%) and media (4.5%). Telecommunications faced 163% more targeted intrusions than the second-most targeted industry.
- Healthcare in the crosshairs of Ransomware-as-a-Service (RaaS). The volume of attempted interactive intrusions against the healthcare industry has doubled year-over-year.