Looking back at the last year, what have been the largest systemic cybersecurity risks for enterprises? How does this compare to 2023?
Last year, CrowdStrike’s Global Threat Report highlighted that 80% of cyberattacks leveraged identity-based techniques to compromise legitimate credentials and try to evade detection. This year we know that adversaries are doubling down on stolen credentials, with a 112% year-over-year increase in advertisements for access-broker services identified in the criminal underground. Organisations armed with this knowledge last year were able to harden their defences and stay a step ahead of the adversary.
This increase in malware-free attacks, social engineering and similar attempts to obtain access/credentials has made it clear that organisations need to prioritise identity protection.
Since at least March 2022, SCATTERED SPIDER, for example, has conducted targeted social engineering campaigns primarily against firms specialising in customer relationship management and business process outsourcing. The adversary uses phishing pages to capture authentication credentials and socially engineers users to share one-time password multi-factor authentication (MFA) codes or overwhelms them using MFA notification fatigue. In some cases, the adversary has also captured individual user account data for resale, or targeted data relating to cryptocurrency companies.
While the National Cyber Security Centre encourages organisations to enforce MFA’s to protect services that are vital to day-to-day business, it also acknowledges multi-factor isn’t a perfect solution. We need to find solutions that not only help organisations extend MFA into legacy and unmanaged systems — both of which are prone to attacks — but also provide immediate detection and real-time prevention of suspicious behaviour.
33 new adversaries have entered the threat landscape, the highest CrowdStrike has observed in one year. What can we learn from their actions to prepare for attacks in the future?
CrowdStrike began tracking 33 new adversaries over the last year which brought the total to over 200.
The challenge is that all threat actors are unique. Some are nation-states, some are underground criminal groups, some strategies are similar and some are not. In addition, we are dealing with an ever-growing threat landscape where each adversary is laser-focused on one goal - exploiting the company and the individuals within it. This can leave businesses especially vulnerable because managing security is usually one of many priorities to ensure its survival. Organisations can spend years and millions of dollars fighting ghosts and noisy alerts, never knowing the “who, why and how” behind the attacks.
For enterprises to stop breaches, using specialised security teams is the crucial link in the chain. They will encourage an environment that routinely performs tabletop exercises and red/blue teaming to identify gaps and eliminate weaknesses in cybersecurity practices and response. And security teams shouldn’t be the only ones practising — initiating user-awareness programs to combat the continued threat of phishing and related social engineering techniques is critical.
How can cybersecurity companies keep innovating to stay ahead of threat actors?
Not knowing or understanding your adversary when you enter a battle is equal to being unprepared.
It goes without saying that cybersecurity companies must keep innovating in all departments including adversary tracking, malware analysis, investigating geopolitical trends and shifts and real-time campaign trend analysis to understand who and what the adversary is likely going to target next and protect it.
I believe innovation is very much dependent on the people in your organisation. We make it our mission to employ talent from a wide range of disciplines - academia, law enforcement, IT to name a few - because we know neural diversity is critical to solving complex problems. You need a team that can look at an issue from all perspectives and have completely different thinking pathways. This way, we can better understand the adversary, predict their next moves and ultimately build this intelligence into both our strategy and technology.
4. What are your projections for the cybersecurity landscape this year? What should enterprises be especially aware of?
We’re in an era where the adversary is still extremely profitable and we will likely see more victims this year. Enforcing robust security is incredibly difficult to get right and threat actors just need one opportunity to attack. Our job is to ensure they never gain access to this window.
We expect more adversaries to aggressively target cloud infrastructure. The number of observed cloud exploitation cases grew by 95% year-over-year in 2022, and adversaries are using a broad array of TTPs (e.g., misconfigurations, credential theft, etc.) to compromise critical business data and applications in the cloud. Stopping cloud breaches requires agentless capabilities to protect against misconfiguration, control plane and identity-based attacks, combined with runtime security that protects cloud workloads.
Adversaries were heavily persistent in pursuit of their goals in 2022 and 2023 is no different. Cybersecurity companies and enterprises will need to have the same relentless determination in order to stay one step ahead.