Attacker Breakout Time Shrinks Again, Underscoring Need for Automation

  /     /     /  
Publicated : 23/11/2024   Category : security


Attacker Breakout Time Shrinks Again, Underscoring Need for Automation


Just 79 minutes — thats how long it takes attackers to move from an initial compromise to extending their infiltration of a firms network.



Attackers are getting quicker. New research reveals they have shaved a few more minutes off of the time they need to transition from gaining initial access to a system, to their attempt to attack other devices on the same network.
CrowdStrike finds the average intrusion required 79 minutes after initial compromise before launching an attack on other systems on a network. Thats down from 84 minutes in 2022. CrowdStrikes
2023 Threat Hunting Report
, published on Tuesday, also reveals the fastest time was seven minutes between the initial access and attempts to extend the compromise, based on more than 85,000 incidents processed in 2022.
An attackers main goal is to move to other systems and establish a presence in the network, so that even if incident responders quarantine the original system, the attacker can still come back, says Param Singh, vice president of CrowdStrikes OverWatch security service. In addition, attackers want to gain access to other systems via legitimate user credentials, he says.
If they become the domain controller, thats game over, and they have access to everything, Singh says. But if they cannot become domain admin, then they will go after key individuals who have better access to [valuable] assets ... and try to escalate their privileges to those users.
The breakout time is one measure of an attackers agility when compromising corporate networks. Another measure defenders use is the time it takes between the initial compromise and detection of the attacker, known as dwell time, which hit a low of 16 days in 2022, according to incident response firm Mandiants
annual M-Trends report
. Together, the two metrics suggest that most attackers quickly take advantage of a compromise and have carte blanche for more than two weeks before being detected.
Attackers have continued their shift to interactive intrusions, which grew by 40% in the second quarter of 2023, compared to the same quarter a year ago, and account for more than half of all incidents, according to CrowdStrike.
The majority of interactive intrusions (62%) involved the abuse of legitimate identities and account information. The collection of identity information also took off, with 160% increase in efforts to collect secret keys and other credential material, while harvesting Kerberos information from Windows systems for later cracking, a technique known as Kerberoasting, grew by nearly 600%, the
CrowdStrike Threat Hunting report stated
.
Attackers are also scanning repositories where companies accidentally publish identity material. In November 2022, one organization accidentally pushed its root accounts access key credentials to GitHub, eliciting a quick response from attackers, CrowdStrike said.
Within seconds, automated scanners and multiple threat actors attempted to use the compromised credentials, the report stated. The speed with which this abuse was initiated suggests that multiple threat actors — in efforts to target cloud environments — maintain automated tooling to monitor services such as GitHub for leaked cloud credentials.
Once on a system, attackers use the machines own utilities — or download legitimate tools — to escape notice. So-called
living off the land
techniques prevent detection of more obvious malware. Unsurprisingly, adversaries have tripled their use of legitimate remote management and monitoring (RMM) tools, such as AnyDesk, ConnectWise, and TeamViewer, according to CrowdStrike.
As companies have adopted cloud for much of their operational infrastructure — especially following the start of the coronavirus pandemic — attackers have followed. CrowdStrike observed more cloud-conscious attacks, with cloud exploitation nearly doubling (up 95%) in 2022.
Often the attacks focus on Linux, because the most common workload in the cloud are Linux containers or virtual machines. The privilege escalation tool LinPEAS was used in three times more intrusions than the next most commonly abused tool, CrowdStrike said.
The trend will only accelerate, CrowdStrikes Singh says.
We are seeing like threat actors becoming more cloud aware — they understand the cloud environment, and they understand the misconfigurations typically seen in cloud, he says. But the other thing that we are seeing is ... the threat actor getting into a machine on the on-prem side, and then using the credentials and everything to move to cloud ... and cause a lot of damage.
Separately, CrowdStrike announced that it plans to combine its threat-intelligence and threat-hunting teams into a single entity, the Counter Adversary Operations group, the company said in
a press release
on August 8.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attacker Breakout Time Shrinks Again, Underscoring Need for Automation