CrowdStrike, the US security firm, has this week issued the "2019 CrowdStrike Global Threat Report."
In the report, CrowdStrike ranked threat groups (both governmental and private) based on their "breakout time." They define this term as "the window of time from when an adversary first compromises an endpoint machine, to when they begin moving laterally across your network."
The dataset used for producing the breakout time analysis was based on intrusions that occurred during 2018 among the organizations CrowdStrike works with. Although large and representing every major industry across 176 countries, this large dataset is not universal. CrowdStrike admits "it is possible that researchers looking at other datasets may arrive at different measurements for breakout time."
The report compares the found breakout speeds of Russia, China, North Korea, Iran and the combined category of global eCrime actors.
Russian threat actors were found to be the most prolific last year, and had an average breakout time of 18 minutes and 49 seconds. This was eight times as fast as their speediest competitor -- North Korea-based adversaries. The North Koreans are almost twice as fast as intrusion groups thought to be from China.
The report notes that while Chinese-affiliated groups had an average breakout time of four hours, there were groups within China that were considerably faster. The average breakout metric may not account for some faster acting individuals.
The overall average breakout time that CrowdStrike observed in 2018 across all intrusions and threat actors was 4 hours 37 mins, which is a substantial increase from 1 hour and 58 minutes that was tracked in 2017.
The report says that the increase was due to, "a variety of factors may have contributed to this increase, including a rise in intrusions from slower-moving adversaries, as well as more organizations deploying next-generation endpoint security technologies that are more effective at detecting and stopping intrusions than legacy antivirus."
Additionally, the report found malware was a dominant method used by various types of attackers for initial infiltration. The media, technology and academic sectors were more heavily targeted by malware-free ("fileless" or memory resident) threats.
The report came to other conclusions including:
- Nation-state adversaries were continuously active throughout 2018. Their activities were primarily aimed at targeting dissidents, regional adversaries, and foreign powers to collect intelligence for decision-makers.
- Many countries used public channels to pay lip-service that they were curbing cyber-activities, but behind the scenes, they seemed to double down on their cyber espionage operations. The actors would combine their efforts with further forays into destructive attacks and financially motivated fraud.
- Sixty percent of all cyber attacks involved a form of file-based malware, as opposed to "fileless" techniques.
- China and North Korea were found to originate almost half of all the nation-state attacks in 2018.
- Hacking supply chain companies instead of attacking targets directly has become a trend in wide use.
- Cybercrime groups are now increasingly renting the services or tools provided by other groups, instead of creating their own.
Criminal gangs adopted the tactic of "big game hunting" in ransomware attacks. This is when eCrime actors combine targeted enterprise intrusions with ransomware to extract large payoffs from organizations.
- CrowdStrike also observed increased collaborations between "highly sophisticated" criminal actors.
The report has many details about all these topics, and is too broad to fully summarize here. But the overall sweep of the details in it can only give rise to concerns about the extent and depth of how threat actors function.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.