Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Organizations Getting Better at Detecting Breaches: Report

Organizations have become slightly better at detecting cyber intrusions, but malicious actors are constantly working on improving their tactics and techniques, according to CrowdStrike’s 2017 Cyber Intrusion Services Casebook.

Organizations have become slightly better at detecting cyber intrusions, but malicious actors are constantly working on improving their tactics and techniques, according to CrowdStrike’s 2017 Cyber Intrusion Services Casebook.

The report is based on data collected by the security firm from more than 100 investigations. Four of these cases are analyzed in detail in the report, including a SamSam ransomware attack on a commercial services organization, a cybercrime operation aimed at a manufacturer’s e-commerce application, a PoS malware incident targeting a large retailer, and a NotPetya infection.

CrowdStrike has determined that organizations continue to improve their ability to detect intrusions on their own. The percentage of firms that self-detected a breach increased to 68 percent, up from 57 percent in the previous year.

As for dwell time, which is the number of days between the initial intrusion and detection, the average has decreased slightly to 86 days. CrowdStrike pointed out that it still takes some organizations as much as 800 to 1,000 days to detect a breach, but these cases are an exception.

“Regardless of dwell time duration, automated systems may eventually detect an intrusion, but by the time human staff is alerted and aware it’s often too late: the attackers must be stopped before they can achieve their objectives,” CrowdStrike said in its report.

Of the attacks analyzed by CrowdStrike, the most prevalent were aimed at stealing intellectual property, stealing money, stealing personally identifiable information (PII), and ransom or extortion.

In more than one-third of attacks, hackers gained access to the targeted organization’s systems using web server, web application or web shell exploits, or file uploaders. Other commonly seen attack vectors were remote access via RDP or VPN (23%), supply chain compromise (12%), social engineering and phishing (11%), and cloud-based service exploits (11%).

Roughly two-thirds of the attacks analyzed by the security firm were fileless – they involved malicious code being written to and executed from memory, harvesting credentials via phishing or social engineering, remote logins via stolen credentials, and exploits targeting web applications.

Advertisement. Scroll to continue reading.

CrowdStrike also noticed that tactics and techniques typically used by nation-state actors have been increasingly leveraged by cybercrime groups.

“These include fileless malware and ‘living off the land’ techniques involving processes native to the Windows operating system, such as PowerShell and WMI (Windows Management Instrumentation),” CrowdStrike said. “Many also employ anti-forensics tools and methods in an effort to erase signs of their presence and increase dwell time. Brute-force attacks on RDP (remote desktop protocol) servers are also prevalent in these cases.”

Attackers are also increasingly turning to self-propagating malware, particularly in the case of ransomware such as the notorious WannaCry. These attacks are often successful due to organizations failing to update critical systems and deploying comprehensive security technologies.

Related: CrowdStrike Launches Cybersecurity Search Engine

Related: Breach Detection Time Improves, Destructive Attacks Rise

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Tabitha Craig has been named the CISO of the Congressional Budget Office (CBO).

Life360 has appointed Vari Bindra, former Amazon cybersecurity lead, as Chief Information Security Officer.

Forcepoint has appointed Guy Shamilov as CISO, Bakshi Kohli as CTO and Naveen Palavalli as CPO and CMO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.