CrowdStrike Inc. has released the CrowdStrike Falcon OverWatch™ 2020 Threat Hunting Report: Insights from the CrowdStrike OverWatch Team. The report is comprised of threat data from CrowdStrike Falcon OverWatch, CrowdStrike’s industry-leading managed threat hunting team, with contributions from CrowdStrike® Intelligence and Services teams. The annual report reviews intrusion trends during the first half of 2020 and provides insights into the current landscape of adversary tactics, which has been heavily impacted this year by the remote workforce environment of COVID-19. The report also includes recommendations for defending against the prevalent tools, techniques and procedures (TTPs) utilised by threat actors.
“Just like everything this year, the threat landscape has proven unpredictable and precarious as eCrime and state-sponsored actors have opportunistically taken aim at industries unable to escape the chaos of COVID-19, demonstrating clearly how cyber threat activity is intrinsically linked to global economic and geo-political forces,” said Jennifer Ayers, vice president of OverWatch and Security Response. “OverWatch threat hunting data demonstrates how adversaries are keenly attuned to their victim’s environment and ready to pivot to meet changing objectives or emerging opportunities. For this reason, organisations must implement a layered defense system that incorporates basic security hygiene, endpoint detection and response (EDR), expert threat hunting, strong passwords and employee education to properly defend their environments.”
Some of the notable report findings include:
- First half of 2020 hands-on-keyboard intrusion activity surpasses all of 2019: OverWatch observed an explosion in hands-on-keyboard intrusions in the first half of 2020 that has already surpassed the total seen throughout all of 2019. This significant increase is driven primarily by the continued acceleration of eCrime activity but has also been impacted by the effects of the pandemic, which presented an expanded attack surface as organisations rapidly adopted remote workforces and created opportunities for adversaries to exploit public fear through COVID-19 themed social engineering strategies.
- eCrime continues to increase in volume and reach: Sophisticated eCrime activity continues to outpace state-sponsored activity, an upward trend that OverWatch has witnessed over the past three years, accounting for over 80% of interactive intrusions. This does not indicate a reduction in nation-state activity, but rather reflects the extraordinary success threat actors have seen with targeted intrusions using ransomware and Ransomware-as-a-Service (RaaS) models, which have contributed to a proliferation of activity from a wider array of eCrime actors.
- Targeting of the manufacturing sector increases dramatically: There was a sharp escalation of activity in the manufacturing sector in the first half of 2020 in terms of both the quantity and sophistication of intrusions from both eCriminals and nation states, making it the second most targeted vertical observed by OverWatch. Healthcare and food and beverage also saw increased targeting, suggesting that adversaries have adjusted their targets to the shifting economic conditions resulting from the pandemic, focusing on industries made vulnerable by complex operating environments that experienced sudden changes in demand.
- China continues its aim at telecommunications companies: The telecommunications industry continues to be a popular target for the nation-states, specifically China. OverWatch observed six different China-based actors, whose motivations are likely associated with espionage and data theft objectives, conducting campaigns against telecommunications companies in the first half of the year.
- CrowdStrike OverWatch comprises an elite team of cross-disciplinary specialists that provide deep and continuous human analysis on a 24/7 basis to relentlessly hunt for anomalous activity designed to evade other detection techniques. OverWatch harnesses the massive power of the CrowdStrike Threat Graph® enriched with CrowdStrike threat intelligence, to track, investigate and advise on sophisticated threat activity. The cloud-scale telemetry of over 3 trillion endpoint-related events collected per week coupled with the detailed tradecraft on 140 adversary groups, provides OverWatch the unrivalled ability to quickly identify and stop the most advanced threats.
Looking forward to the remainder of 2020, OverWatch expects to see the continued brazen tactics of cybercriminals as they innovate and mature their processes to evade detection technologies and maximise their impact. To protect their data, organisations must implement a solution that secures a distributed workforce, is device-agnostic and is scalable. OverWatch’s skilled threat hunting with the robust data gathered by the Falcon platform provides users a transformative solution delivered via a single lightweight agent that is easily deployable regardless of an end user’s location, establishing a new standard in endpoint security.