Sun Tzu (771–256 BC), a Chinese military general, strategist, and philosopher, showed remarkable prescience when he said, “Know thy enemy and know yourself; in a hundred battles, you will never be defeated.”
And when Geroge Kurtz (CEO/Co-Founder of CrowdStrike) observed, “You don’t have a malware problem, you have an adversary problem,” he likewise recognised the importance of taking an adversary-focussed approach to protecting customers and stopping breaches in the modern-day battleground of cybercrime.
So, what do you need to know about your enemy?
2023 – the year that was
CrowdStrike’s 2024 Global Threat Report provides valuable insights into a dark landscape.
For starters, in 2023, CrowdStrike identified 34 new adversaries, bringing the known total to 232. They also observed “a 60% year-over-year increase in the number of interactive intrusion campaigns, with a 73% increase in the second half compared to 2022.”
YoY, cloud-conscious cases increased by 110%, and cloud environment intrusions increased by 75%.
The rise of human adversaries
CrowdStrike reports that interactive intrusion techniques have made cyber threats more alarming than ever before. Unlike malware attacks, which rely on malicious tools and scripts, interactive intrusions utilise the ‘creativity and problem-solving skills of human adversaries.’
In an interactive intrusion, adversaries gain initial access to a network and then move laterally to their target as quickly as possible. As they mimic typical user and administrator behaviours, it’s difficult for defenders to differentiate between a cyberattack and business-as-usual user activity.
The (breakout) time between an adversary’s arrival on the network and reaching their final destination is critical – and it is an increasingly narrow window of opportunity for defenders to mitigate damage and costs.
How narrow? In 2022, the average breakout time for interactive intrusion activity was 84 minutes; in 2023, it was 62 minutes. Terrifyingly, the fastest observed breakout time was only 2 minutes and 7 seconds.
If you are wondering why the focus is on interactive intrusion, it’s because 75% of the detections in 2023 were malware-free.
What else did 2023 serve up?
Due to their high return on investment (ROI), supply chains have remained attractive targets for cybercriminals. Trusted relationship compromises flourished, and the technology sector was at the top of the target list.
CrowdStrike says, “In 2023, nearly every trusted-relationship compromise originated as part of an intrusion at a technology sector organisation that provided commercial software.” Why technology? It’s a numbers game. One compromised software organisation can open the door- often with minimal effort – to hundreds or thousands of follow-on targets.
Identity-based and social engineering attacks were a common theme throughout 2023, with criminals continuing to use phishing techniques to spoof legitimate users and target valid accounts, as well as other authentication and identifying data. Account credentials, API keys and secrets, session cookies and tokens, one-time passwords (OTPs), and Kerberos tickets were also desirable acquisitions.
2024 – the year that is
In its 2024 Global Threat Report, CrowdStrike identifies generative AI and the 2024 global government elections as this year’s two biggest potential disruption drivers.
Other threats on the (near) horizon include ‘malvertising’ (malicious advertising), SEO poisoning, and increasing macOS malware.
Generative AI, the threat from within
While CrowdStrike is unable to enumerate the instances of AI misuse in 2023, saying that its visibility into the use of generative AI tools is likely incomplete or well-hidden by adversaries, it is apparent that its potential for bad as well as good looms large.
We, too, recently wrote about the double-edged sword that is generative AI.
Generative AI became a mainstream technology in late 2022. In its 2024 threat report, CrowdStrike observed, “Generative AI has massively democratised computing to improve adversary operations. It can also potentially lower the entry barrier to the threat landscape for less sophisticated threat actors,” – and identified two primary opportunity areas for generative AI within the threat landscape.
The first is using generative AI to develop and execute malicious computer network operations (CNO) by developing tools and resources, such as scripts or code, that could function maliciously. The second is using generative AI to support the efficiency and effectiveness of social engineering and information operations campaigns.
2024 will be the year to watch as generative AI continues to gain popularity. Not only will the cybersecurity industry be able to assess how threat actors will use it to their advantage, but also how companies, tool owners and governments will respond to new developments and perceived misuse.
Global elections
2024 is a significant year on the political stage. This year, according to CrowdStrike, individuals from 55 countries representing more than 42% of the global population will participate in presidential, parliamentary, and general elections. This includes seven of the ten most populous countries in the world: India, the U.S., Indonesia, Pakistan, Bangladesh, Russia and Mexico.
There will also be high-profile, national-level elections in countries or groups involved in, or proximal to, major geopolitical conflicts, including Taiwan, Azerbaijan, India, Pakistan, Iran, Belarus, Russia, Finland, Lithuania and the European Union.
Throughout these elections, likely cyber activity will range from intrusions against the software and hardware used to process votes, compromising or leaking government data, hack-and-leak operations designed to discredit, website defacements, and distribution of damning misinformation. We can be assured that generative AI will play a helping hand in creating deceptive narratives and campaigns to support adversaries invested in political and global disruption.
Then, there’s malvertising, SEO poisoning, and macOS malware
Surfacing in or around 2023, malvertising, SEO (search engine optimisation) poisoning, and macOS malware have all contributed to a rapidly evolving e-crime landscape – and will continue to impact us in 2024.
Malvertising is the injection of malicious code into legitimate or specially created online advertising on advertising networks and web pages. SEO poisoning, aka search poisoning, is a type of malvertising where cybercriminals create malicious websites and then use SEO techniques to ensure a falsely high ranking in search engine results. This plays on the searcher’s assumption that the ads closest to the top of a search result are the most credible – and clickable.
CrowdStrike reports that in 2023, multiple macOS malware variants emerged on underground marketplaces and that “All observed macOS malware families are information stealers capable of harvesting stored passwords, cookies, and cryptocurrency wallets.”
What does 2024 hold for you?
We know that threat landscape reports never contain good news. But they’re not meant to – they’re here to help you understand your adversaries and be aware of the dangers to your organisation, employees, and customers.
Awareness and prevention are always better than cure. So, if you’d like us to conduct a Cyber Security Vulnerability Assessment, please get in touch with us.
In the meantime, watch out for our next blog, where we share our ‘keep safe out there’ recommendations.
