CrowdStrike annual cyber intrusion casebook reveals fileless malware on the rise

CrowdStrike’s research reveals incident response strategies, lessons learned and trends derived from over 100 real-life cyber intrusion cases that CrowdStrike Services worked on during the past year. These engagements cover finance, insurance, healthcare, retail, information technology and other industries.

As such, it is a rich source of data for CIOs and IT Managers looking for practical guidance on how enterprises are breached, the techniques being used by attackers, and other lessons learned.

{loadposition david08}Key findings include:

1. The lines between nation-state sponsored attack groups and eCrime threat actors continue to blur. Both threat groups increasingly leverage similar tactics such as fileless malware and “living off the land” techniques involving processes native to the Windows operating system, including PowerShell and Windows Management Instrumentation (WMI).
2. The average attacker dwell time was 86 days. This statistic reflects the number of days between the first evidence of a compromise and its initial detection. The longer an attacker can dwell in the environment, the more opportunity they have to find, exfiltrate or destroy valuable data or disrupt business operations.
3. Attackers apply more self-propagation techniques to accelerate scope and scale of attacks. CrowdStrike has observed through multiple incidents malware variants that employ techniques designed to spread once a system is infected. Victim organisations across the globe continue to experience the repercussions of failing to keep their critical systems updated, instead relying on ineffective legacy security technologies for threat prevention.
4. The use of fileless malware and malware-free attacks made up 66 percent of all attacks.  Notable examples include attacks where code was executed from memory or where stolen credentials were leveraged for remote logins.
5. Companies are getting better at self-detection. In 68 percent of the reviewed cases, the companies were able to internally identify the breach. CrowdStrike’s search indicates this is an 11 percent increase over prior years.

“To minimise the impact of a cyber-related incident, organisations need to be aware of emerging attack trends and adversary techniques, and in turn, implement incident response best practices and proactive mitigation strategies. With cybersecurity becoming a core business issue, CEOs and business leaders need to improve their ability to anticipate threats, mitigate risks, and prevent damage in the wake of a security-related event,” said Shawn Henry, chief security officer and president of CrowdStrike Services. “Based on the CrowdStrike Services team’s extensive experience, this Casebook informs not only security professionals but also executives, boards of directors and shareholders on how to prepare for and respond to intrusions in a more effective manner.”

CrowdStrike’s research shows via real-world example the continued and constant importance for organisations to improve their resiliency in the face of ever-changing and increasingly sophisticated attack techniques.

It is no longer sufficient to rely on traditional security measures, tools and approaches and organisations must evolve their security strategies to proactively prevent, detect and respond to all attack types including fileless malware and malware-free attacks.

The 2017 annual CrowdStrike Cyber Intrusion Services Casebook can be downloaded here.