Security experts recorded a surge in “hands-on-keyboard” threats in 2023, with the average time it took to move laterally from initial access dropping 35% annually to just 62 minutes, according to Crowdstrike.
This so-called “breakout time” is a critical factor in how successful attacks are, as it signifies how long defenders have to detect and contain threats before attackers are able to conduct reconnaissance, establish persistence and locate their targets.
The figure decreased from 84 minutes in 2022, although the fastest recorded breakout time last year was two minutes and seven seconds, according to the security vendor’s Crowdstrike 2024 Global Threat Report.
The technology (23%), telecoms (15%) and finance (13%) sectors recorded the largest share of intrusions last year. Overall, Crowdstrike noted a 60% annual increase in the number of these more advanced “interactive intrusion” or “hands-on” campaigns in the period.
Read more on advanced intrusions: Attacker Breakout Time Drops to Just 84 Minutes
“Once an initial compromise occurs, it only takes seconds for adversaries to drop tools and/or malware on a victim’s environment during an interactive intrusion,” the report explained.
“However, the saying ‘time is money’ holds true for adversaries. More than 88% of the attack time was dedicated to breaking in and gaining initial access. By reducing or eliminating this time, adversaries free up resources to conduct more attacks.”
That’s why threat actors are looking to accelerate initial access by phishing, social engineering, use of access brokers, and the exploitation of vulnerabilities and trusted relationships, the report noted.
Malware-Free Attacks Dominate
In fact, 75% of detections involved no malware at all, up from 40% in 2019, Crowdstrike said.
The threat of malware-free attacks is particularly acute when it comes to cloud intrusions, which surged 75% year-on-year (YoY). Use of valid credentials and other techniques can make it challenging for network defenders to differentiate between legitimate and unauthorized users.
Among the top identity-based and social engineering threats observed in 2023 were:
- Stolen credentials obtained by purchasing them on the dark web or directly via info-stealer malware, edge device exploitation, etc.
- API keys and secrets
- Session cookies and tokens
- One-time passwords obtained via SIM swapping, SS7 attacks, social engineering and email compromise
- Stolen or forged Kerberos tickets, which provide access to access to encrypted credentials that can be cracked offline. These attacks increased 583% annually
Crowdstrike also recorded 34 new threat groups during 2023 and claimed the number of victims named on ransomware leak sites increased by 76% YoY.