The average time it takes threat actors to move from initial access to lateral movement has fallen by 67% over the past year, putting extra pressure on security operations (SecOps) teams, according to CrowdStrike.
The findings come from the security firm’s own investigations with customers across around 248,000 unique global endpoints.
For incidents where this “breakout time” could be derived over the past year, it averaged just 1 hour 32 minutes. However, in over a third (36%) of intrusions, adversaries managed to move laterally to additional hosts in under 30 minutes.
That reportedly makes the job of incident responders more challenging. With lateral movement comes the discovery of data to exfiltrate and new systems to deploy ransomware on.
Zeki Turedi, EMEA CTO, CrowdStrike, told Infosecurity that once lateral movement occurs, incidents become harder and more costly to resolve.
“In simple terms, it is easier to deal with a threat actor when they are on one machine than multiple,” he added.
“For a threat actor to start moving laterally they must have already done some basic reconnaissance of the network, but more importantly have credentials to allow them to start moving across the network. At this point they potentially have the keys to the kingdom (network) and can start moving and causing disruption quickly.”
Threat actors are also becoming more stealthy. In 68% of detections indexed by CrowdStrike, no malware was used at all. This means “living off the land” techniques and legitimate tooling was employed to stay under the radar of traditional security tools.
In total, the vendor detected a 60% increase in attempted intrusions across all verticals and geographic regions between July 2020 and June 2021 versus a year previous.
Not all of this activity is about data collection and ransomware deployment. CrowdStrike recorded a 100% year-on-year increase in crypto-jacking in interactive intrusions.
When it came to targeted intrusions, China-based threat actors were the most prolific by far, accounting for 67% of incidents. Next came unattributed state-backed attackers (20%), then Iran (7%) and North Korean (5%) actors.