Diving into CrowdStrike’s 2024 Threat Hunting Report
Looking into global cybersecurity themes is a must when maintaining a secure environment. As asserted by CrowdStrike’s CEO and Co-Founder, George Kurtz, in their 2024 Global Threat Report, “The ‘good enough’ approach to cybersecurity is simply no longer good enough for modern threats.” Delving into Crowdstrike’s 2024 Threat Hunting Report, some themes are clear and very concerning: identity-based attacks, insider threats, and cloud-based intrusions are all on the rise.
Often, feeling detached from these threats is easy. Saying “I run a small business, there’s no way this applies to me,” or “I am just an individual, attackers aren’t interested in me,” is easy. No one, business or individual, is exempt from cybersecurity threats. Taking the “good enough” approach to cybersecurity can be detrimental to a business in a way that many cannot afford, especially if your business deals with any personal, financial, health, or government information.
Attackers will use identity-based attacks to gain access to systems using legitimate credentials. By launching phishing campaigns and other social engineering attacks, the attacker can trick a legitimate user into giving up information, like usernames and passwords used to get into a system. Attackers can also use these social engineering and advanced phishing attacks to bypass multi-factor authentication. Once in, the attacker can not only access what the legitimate user can, but can potentially take actions like elevating privileges, moving between managed and unmanaged hosts, and gathering additional credentials to gain further access to the system (CrowdStrike).
Generally, the success of phishing and social engineering attacks hinges on the participation of the target. If an attacker sends an email with a malicious link to an employee at a company, the employee usually needs to click on the link to install the malware or to go to the illegitimate website where they will be prompted to enter the information the attacker intends to steal. Social engineering and phishing can go deeper than just clicking on a link or unintentionally running a .exe file, though.
Social engineering can entail an attacker coming into a company’s office dressed as a legitimate employee, roaming around until they find a desk where the computer username and password are on a sticky note right under the monitor. Or an attacker contacting an employee at a company imitating the target’s boss, saying they are having an emergency and need the employee’s credentials ASAP. Or an attacker calling an employee on the phone claiming to be from the IT department, saying they need the employee’s credentials to fix an issue right away, or else the employee will lose access to their work device.
In addition to identity-based attacks being prevalent, insider threats have emerged as a common theme. On a global level, CrowdStrike Overwatch identified individuals associated with the Democratic People’s Republic of Korea applying to or actively working at over 100 unique companies across the world. They exploited the hiring and onboarding processes to gain physical access to legitimate systems, then used their legitimate credentials to remotely access the systems to log into corporate VPNs while masquerading as developers (CrowdStrike). This serves as just one example highlighting how important policy is in remote recruiting and work environments.
Insider threats do not always come in the form of remote employees looking to harm your business. Often, the greatest security threats are well-meaning employees who open a malicious email and click the link inside or who leave their username and password on a sticky note under their monitor in the office. Verizon’s 2024 Data Breach Investigations Report shows that “68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error.” Threats like these emphasize how important security culture is in an organization—educating employees on security policies and standards can help prevent these mistakes.
Lastly, cloud-based intrusions rose by 75% in 2023, as shown in the CrowdStrike 2024 Global Threat Report. Attackers use spear phishing to gain access to a system, then use policy modification and sometimes access to password managers to infiltrate and exploit cloud environments. Gaining access to these environments gives attackers broad access which can then be used to compromise the entire cloud infrastructure. Having broad access allows attackers to bypass compromising heavily defended endpoints—they can use their access to find overprivileged users and roles, which they can then use to continue further compromising the environment. Or they can use their access to move laterally into endpoints, where they can deploy RMM tools instead of malware to spy on users. Using RMM tools in place of malware makes these attacks difficult to detect and disrupt, since they are legitimate business tools that can blend into the business’s environment (CrowdStrike).
Having well-configured cloud environments with strong policies following best practices can help deter threat actors from gaining direct access to the environments. Having a strong security culture is helpful in preventing any of these kinds of attacks. Ensuring that technology, work from home, and hiring policies are all being followed and adhere to industry standards is a wonderful place to start in creating a security culture. Educating employees on these policies and general security best practices is another key piece of creating a secure organization. By having a strong security culture and well-trained employees, the risk of a spear phishing or social engineering attack being successful is reduced, ultimately reducing the risk of an attacker gaining access to credentials for use in the first place.
For help creating your business’s security culture, contact SKBInfo@skbcyber.com for your free consultation!