CrowdStrike 2023 Threat Hunting Report
Description
Identity threats emerged as the major theme of interactive — aka hands-on-keyboard — intrusions discovered by the CrowdStrike® Falcon OverWatch™ threat hunting team in the past 12 months. In all aspects of operations, adversaries looked for ways to broaden their reach, optimize their tradecraft, and deepen their impact. These operations often started with an identity compromise. Adversaries are not relying solely on compromised valid credentials, either — rather, they demonstrated their capacity to abuse all forms of identification and authorization, including weak credentials purchased from the underground, and they elevated their phishing and social engineering tradecraft.
In addition to the broad targeting of identity, several trends related to eCrime stood out this year. First, the continued exploitation of vulnerable software to gain access, particularly in the case of access brokers, demonstrates the need for organizations to have visibility into their external attack surface. The expanded use of zero-day vulnerabilities and the speed at which threat actors could develop N-day exploits underscore the importance of vulnerability management and patching. Second, the rampant use of legitimate remote monitoring and management (RMM) tools illustrates adversaries’ attempts to blend into enterprise noise and avoid detection. SCATTERED SPIDER, for example, utilizes numerous RMM tools, enabling them to avoid detection for protracted periods of time to access sensitive data and — more recently — deploy ransomware. Finally, Falcon OverWatch observed adversaries such as INDRIK SPIDER following their otherwise opportunistic initial access attempts with more tailored follow-on behaviors.
