10/09/2018 | Press release | Archived content
Mid-year OverWatch report provides insights into growing intrusion trends; highlights top threats and targeted industries based on reviewing more than 25,000 attempted intrusions
Sunnyvale, CA - October 9, 2018 - CrowdStrike® Inc., the leader in cloud-delivered endpoint protection, today announced the release of its Observations From the Front Lines of Threat Hunting report. The report analyzed threat data from CrowdStrike Falcon® OverWatch™, the company's industry-leading managed threat hunting team that detects intrusions by sophisticated and stealthy adversaries, to reveal insights into attacker tactics, techniques and procedures (TTPs). The report also leveraged CrowdStrike's industry-leading threat telemetry, which processes 1 trillion security events a week across 176 countries, to provide additional context into the 25,000 attempted intrusions that CrowdStrike OverWatch stops in a year. Overall, 48% of intrusion cases identified involved targeted intrusions from adversaries with a nation-state nexus, while 19% were conducted by eCrime actors.
According to the report, the technology, professional services, and hospitality sectors were targeted most often by cyber adversaries. The actors used a variety of novel tactics, demonstrating particular creativity and perseverance in defense-evasion and credential-access TTPs such as the use of Windows Internal tool, Active Directory Explorer, for one-time credential dumping. Notable percentages of intrusion cases by vertical include:
"Today's adversaries are persistent in their mission to target and infiltrate all types of industries. Organizations can no longer rely on reactive approaches to stay protected. Instead, they need to start with an assumption that someone might have already breached the perimeter and proactively hunt for them 24/7/365 on systems. This is why CrowdStrike pioneered threat hunting as a service, enabling us to find the needle in the haystack in our customer networks and identify intrusions what would otherwise go unnoticed," said Dmitri Alperovitch, CrowdStrike's chief technology officer and co-founder.
Notable findings include:
"This report provides an additional layer of insight and analysis into the latest attacker trends and techniques," said Jennifer Ayers, CrowdStrike vice president of OverWatch and Security Response. "It is a valuable resource to help organizations more strategically understand the threat landscape, learn new hunting methodologies and increase investigation efficiency against persistent cyber adversaries."
One of the key metrics that CrowdStrike OverWatch tracks for all intrusions it identifies is "breakout time" - the time that it takes an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. The current average breakout time is 1 hour and 58 minutes, which means that if defenders are able to detect, investigate and remediate the intrusion within 2 hours, they can stop the adversary before they can cause serious damage. We recommend that all organizations adopt the 1-10-60 rule:
The deep technical expertise of the OverWatch team and the technology capabilities of the CrowdStrike Falcon® platform ensure that customers are protected 24/7/367. CrowdStrike technology delivers and unifies next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, IT hygiene, vulnerability management and threat intelligence - all delivered via a single lightweight agent.
For additional information, read a blog on Observations From the Front Lines of Threat Hunting report.
You can also download the full report.
About CrowdStrike®
CrowdStrike is the leader in cloud-delivered endpoint protection. Leveraging artificial intelligence (AI), the CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network. CrowdStrike Falcon® deploys in minutes to deliver actionable intelligence and real-time protection from Day One. It seamlessly unifies next-generation AV with best-in-class endpoint detection and response, backed by 24/7 managed hunting. Its cloud infrastructure and single-agent architecture take away complexity and add scalability, manageability, and speed.
CrowdStrike Falcon® protects customers against all cyber attack types, using sophisticated signatureless AI and Indicator-of-Attack (IOA) based threat prevention to stop known and unknown threats in real time. Powered by the CrowdStrike Threat Graph™, Falcon instantly correlates over 1 trillion security events per week from across the globe to immediately prevent and detect threats.
There's much more to the story of how Falcon has redefined endpoint protection but there's only one thing to remember about CrowdStrike: We stop breaches.
You can gain full access to Falcon Prevent™ by starting your free trial.
Learn more: https://www.crowdstrike.com/
© 2018 CrowdStrike, Inc. All rights reserved. CrowdStrike®, CrowdStrike Falcon®, CrowdStrike Threat Graph™, CrowdStrike Falcon® Prevent™, Falcon Prevent™, CrowdStrike Falcon® Insight™, Falcon Insight™, CrowdStrike Falcon® Discover™, Falcon Discover™, CrowdStrike Falcon® Intelligence™, Falcon Intelligence™, CrowdStrike Falcon® DNS™, Falcon DNS™, CrowdStrike Falcon® OverWatch™, Falcon OverWatch™, CrowdStrike Falcon® Spotlight™ and Falcon Spotlight™ are among the trademarks of CrowdStrike, Inc. Other brands may be third-party trademarks.
Contacts
CrowdStrike, Inc.
Ilina Cashiola, 202-340-0517
[email protected]
[1] The Forrester Wave™: Endpoint Detection And Response, Q3 2018 report by Josh Zeloniswith Stephanie Balaouras, Bill Barringham, and Peggy Dostie
[2] The Forrester Wave™: Endpoint Security Suites, Q2 2018 by Chris Sherman, Salvatore Schiano with Christopher McClean, Madeline Cyr, Peggy Dostie