5 Big Things To Know From CrowdStrike’s 2024 Threat Report
From a rise in identity threats and cloud-based attacks, to spotting the true security risks posed by GenAI, here are some of the key findings in the annual CrowdStrike report.
Malicious actors are continuing to shift their tactics away from traditional attacks aimed at endpoints and toward identity systems or cloud environments — and often, both at once, according to findings from cybersecurity giant CrowdStrike released Wednesday.
The 2024 CrowdStrike Global Threat Report highlights the growing problem of “cross-domain” attacks that exploit weaknesses created by the interdependence of various IT systems, whose human overseers often treat them independently, CrowdStrike’s Adam Meyers told CRN.
“The threat actors have figured out that these domains exist, and they’ve learned how to live in the fuzzy space in between them,” said Meyers, senior vice president of Counter Adversary Operations at CrowdStrike.
[Related: CrowdStrike CEO: Microsoft Explanation For Russia Hack Doesn’t Add Up]
The report provides a number of new statistics about how attacks intensified and grew more complex in 2023, according to CrowdStrike.
What follows are five big things to know from CrowdStrike’s 2024 threat report.
Breakout Time Accelerates
One key statistic in CrowdStrike’s report highlights the intensification of attacks in 2023 in terms of “breakout time,” or the time it takes for an attacker to move from one compromised host to another host. The report findings show that the average breakout time for cybercriminals dropped to 62 minutes in 2023, down from 79 minutes in 2022.
Even more startling is another finding: The fastest breakout time observed by CrowdStrike was just over two minutes last year, down from seven minutes the year before. A two-minute breakout time is “crazy,” Meyers said.
What that means, he said, is that “two minutes is the time it can take for a threat actor to go from no access, to inside and moving laterally, and now you're chasing them through the enterprise. And that's terrifying.”
The Rise Of ‘Cross-Domain’ Adversaries
A key part of what is driving the acceleration in breakout times is the way that attackers are exploiting the different, often-siloed domains within an organization, Meyers said.
“This is really becoming what we're calling a cross-domain problem,” he said.
In many traditional environments, an enterprise team handles endpoint security and server security, while a separate team handles security for the cloud environments since it's not usually the same skill set.
Now, for many organizations, identity has become yet another domain, while some organizations also have operational technology (OT) as a fourth domain, Meyers noted.
At this point, it’s clear that threat actors have figured out that if they can get into the cloud, they can then use that cloud access to create new identities to maintain persistence, he said.
“So if their tools get kicked off of an endpoint, they still have that backend cloud access to reestablish control,” Meyers said. “That's one of the big takeaways, which is that organizations really need to start marching toward being cross-domain security conscious — because the threat actors are becoming cross-domain adversaries.”
Cloud Intrusions Surge
CrowdStrike’s report indicates that cloud intrusions surged by 75 percent in 2023 compared to the previous year, underscoring the threats posed to multiple domains within an organization, Meyers said.
Another key statistic on the threat to cloud environments relates to what CrowdStrike calls “cloud-conscious” attackers. Such threat actors are “aware of the ability to compromise cloud workloads and use this knowledge to abuse features unique to the cloud for their own purposes,” the company said in its report.
According to the report, incidents involving cloud-conscious attackers more than doubled year-over-year, growing 110 percent in 2023.
As always, adversaries take the path of least resistance, Meyers noted. “We’ve made the enterprise an inhospitable place for adversaries, particularly at the endpoint level, where we have endpoint technology that can stop the attacks that were prevalent two years ago,” he said.
But when it comes to cloud environments, security is “oftentimes not well-understood inside of an enterprise environment,” Meyers said. “They don't have the same level of visibility that you would have across your enterprise and your servers and desktops. So the threat actors are going for an easier target.”
GenAI Myths Vs. Reality
Despite the attention paid to the potential for GenAI apps such as ChatGPT to aid attackers, there was little evidence of this happening in 2023, according to CrowdStrike’s report.
“Throughout 2023, generative AI was rarely observed supporting malicious [computer network operations] development and/or execution,” the report said.
What CrowdStrike has been seeing on occasion is experimentation with GenAI by threat actors, Meyers said. “Not in malware code writing or exploit development. But it’s been more like, ‘Write a script to extract all the Entra IDs from a Microsoft Azure cloud tenant,’” he said.
“We've seen scripts that we've recovered from some of these threat actors that have comments that are consistent with the comments that we have seen from LLM technology, like ChatGPT,” Meyers said.
Notably, however, it seems unlikely that threat actors will develop their own large language models, since this would be cost-prohibitive, he said. With OpenAI spending hundreds of millions on its GPT technologies, “no threat actor is investing in that many GPUs to do that type of training,” Meyers said.
A more-realistic threat could come from OpenAI itself, with the expected forthcoming launch of its text-to-video technology, dubbed Sora, according to Meyers.
Given that the technology could arrive during an election year in the U.S., “that's going to be potentially a huge problem,” he said. If the technology turns out to work reliably, “it’s really going to democratize the ability to do high-quality disinformation campaigns.”
New Strategies Needed
Given CrowdStrike’s findings, Meyers pinpointed two areas of focus that should be prioritized by most organizations: Identity and cross-domain security capabilities.
First, “they need to get identity protection wrapped around their identity solution,” he said. “It’s one thing to have multifactor authentication and to use [identity platforms] like Okta. But you still need to have compensating controls wrapped around that. And identity protection is how you do that. That is absolutely table stakes at this point for organizations.”
The second priority is that organizations need to become “cross-domain capable,” Meyers said. “They need to understand that the threat actors have become cross-domain, and that they can jump between the enterprise and the cloud — and that they're exploiting the weaknesses in identity and unmanaged devices. And they need to get that visibility and be able to do hunting across all of the domains that are inside of their purview.”