Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/14/2020
02:25 PM
50%
50%

Attackers Increasingly Focus on Business Disruption

Network intruders are staying undetected for an average of 95 days, enabling them to target critical systems and more completely disrupt business.

More cyberattackers are targeting large companies with stealthier attacks, aiming to significantly disrupt businesses and force them to pay higher ransoms, according to a report summarizing more than 300 breach investigations.

The "CrowdStrike Services Cyber Front Lines Report" found that 36% of incidents aimed to disrupt business or operations. While companies are getting better at detecting attacks using their own people and systems —79% of attackers were discovered internally, the highest rate in three years — the number of days attackers went undetected increased to 95, up from 85 days in 2018, CrowdStrike found.

The result is that malicious attackers have more time to attack operations and cause more disruption, says Thomas Etheridge, vce president of services at CrowdStrike.

"Not all of these threat actors are deploying ransomware, but they were really focused on disrupting the business' ability to perform business," he says. "That disruption was behind higher ransom amounts and the decision to often pay the ransom."

The report's findings highlight how last year's steady beat of ransomware headlines became a trend. From the coordinated attacks on Texas towns to a focus on local school districts, reports of ransomware attacks exploded in 2019. While successful attacks have decreased in number by some accounts, attackers are focusing on larger targets and threatening to do greater damage. Called "big-game hunting" by many firms, the revised strategy is about minimizing effort and maximizing the profit from criminal activity.

"That type of access that the attacker has, it really gives them the flexibility to understand where the critical data assets are, what approach they are going to take to encrypt those assets, where the backups are stored — and that really puts the customer at a disadvantage," Etheridge says.

While the increase in disruptive attacks is the main theme of CrowdStrike's report, a number of other trends are highlighted as a well. The company found, for example, that a legitimate tool for scanning Active Directory stores, known as Bloodhound, had been co-opted by attackers to speed their movement across networks. 

The company also urged companies to better secure their cloud services, especially infrastructure-as-a-service (IaaS) infrastructure. Attackers are already targeting API keys, which are used to allow programs to access and incorporate features from the cloud.

"Static keys pose a significant risk because they allow enduring access to large amounts of often sensitive data," the report states. "Instead, use ephemeral credentials for automated cloud activity and enforce the usage of these credentials only from authorized IP address space."

Finally, Macs are now on the menu for attackers, CrowdStrike says.

"The increasing popularity of macOS systems in organizations, combined with insufficient macOS endpoint management and monitoring, have made Macs lucrative targets for threat actors," the report states. "Once inside a victim environment, the Services team has observed threat actors leveraging legitimate user credentials and native macOS utilities to move laterally and persist there while evading detection."

In terms of disruptive attacks, the manufacturing sector found itself most often successfully targeted by ransomware and other business-disrupting malware, according to CrowdStrike's report. Healthcare had the second highest number of disruptive incidents, followed by government organizations and information-technology companies.

Attackers often used spear-phishing attacks for the initial compromise, the company found. In just over a third of cases (35%), spear-phishing e-mails or messages gave attackers initial access to the victim's systems. Attackers also sought out legitimate credentials to allow them to move around networks. Collecting credential dumps and attempting to discover accounts were the No. 1 and No. 3 attack techniques.

Companies that deploy a handful of defenses could fend off many of the attacks detected by CrowdStrike. Multifactor authentication on all public-facing portals, for example, will prevent attackers from gaining easy access through stolen credentials. Network segmentation helps prevent attackers from easily moving around a network following a compromise. 

"These methods can help organizations improve their security posture," Etheridge says. "Organziations are better able to self-detect the attackers in their environment, so we expect attackers to continue to use more stealthy techniques to increase their dwell time."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8423
PUBLISHED: 2020-04-02
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the configuration of the Wi-Fi network.
CVE-2019-14868
PUBLISHED: 2020-04-02
In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those env...
CVE-2019-20635
PUBLISHED: 2020-04-02
codeBeamer before 9.5.0-RC3 does not properly restrict the ability to execute custom Java code and access the Java class loader via computed fields.
CVE-2020-11452
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the f...
CVE-2020-11453
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it ...