Concern as Attacker “Breakout” Time Halves in 2020

The average time it took for attackers to move from initial infection to lateral movement and beyond halved lasted year, in a sign that organizations are failing in detection and response, according to CrowdStrike.

The security vendor’s 2021 CrowdStrike Global Threat Report is compiled from its threat intelligence, managed threat hunting and cloud graph database technology which processes four trillion global events per week.

It revealed that the vast majority (79%) of “hands-on” attacks spotted last year were financially motivated cybercrime, with supply chain attacks, data extortion and ransomware all featuring strongly. It pointed to 18 “big game” ransomware groups that infected 104 healthcare organizations in 2020.

However, of particular concern was how threat actors appear to be accelerating attacks once they’ve made an initial intrusion into a victim’s network. The average “breakout” time dropped from around nine hours in 2019 to just four hours and 28 minutes.

CrowdStrike SVP of services, Tom Etheridge, told Infosecurity that the aim should be for defenders to hit the “1-10-60” rule, whereby intrusions are detected within a minute, investigated in 10 and adversaries eliminated within 60 minutes.

“The prevalence and availability of malware supporting various stages of the attack cycle, and the reliance on legacy signature-based AV technology and overtaxed security practitioners, have fostered an environment where adversaries can move through a victim’s environment from initial point of entry (typically a phish) to being able to target and encrypt critical infrastructure before defenders are able to implement the controls necessary to stop the breach,” he warned.

Despite the majority of attacks last year coming from e-crime, CrowdStrike also warned of escalating threat activity from nation states in 2021, especially North Korea and China.

Beijing-backed attackers will be targeting key western verticals to support the government’s 14th Five-Year Plan and COVID-19 vaccine efforts, including academia, healthcare, technology, manufacturing and aerospace, the vendor claimed.

In North Korea, meanwhile, the ravages of COVID-19 and a national food shortage will force the government to ramp-up campaigns designed to generate more funds for the hermit kingdom.

“The DPRK economy has continued to contract as a result of COVID-19, so currency generation schemes are likely to continue at pace and even expand,” CrowdStrike SVP of intelligence, Adam Meyers, told Infosecurity.

“They have also continued to move towards economic espionage, particularly around industries called out in the National Economic Development Strategy (NEDS), including energy, agriculture, mining, heavy machinery and land reclamation.”

The report can be found here.

What’s Hot on Infosecurity Magazine?