Minicast: 90 minutes after an intrusion, cybercriminals are laterally on the move - Crowdstrike

With criminally focused adversaries now capable of moving through organisational networks faster than ever before, threat hunting has emerged as a critical component of contemporary cybersecurity

According to Nick Lowe, director Falcon Overwatch at CrowdStrike, there have been instances identified where the intruders are moving laterally within minutes after gaining initial access.

"We track this as breakout time and on average, Overwatch observed an average breakout time with respect to e-crime intrusions of just one hour and 32 minutes."

Furthermore he said, Overwatch discovered that in 36 percent of those intrusions, the adversary move laterally to additional hosts in under 30 minutes.

The increasing speed with which adversaries are moving through organisations means round-the-clock eyes on glass is required said Lowe. 

Organisations need to be proactively seeking out the early warning signs he said as these may indicate the presence of an adversary which needs to be disrupted before they can achieve their goals.

"This means augmenting their existing security technology investments with human-led hunting services."

Moreover, he cautioned, "As the ransomware economy continues to evolve ransomware as a service and the availability of ransomware toolkits is paving the way for an increasing number of criminally focused adversaries.

"Or battling to join the mix and enabling them to quickly operationalise ransomware campaigns with minimal technical proficiency and often no need for their own infrastructure."

This trend is set to continue throughout 2022 as criminal actors chase lucrative payouts, he believes.

Threat actors are also increasingly seeking to subvert automated detection capabilities, according to Lowe.

"If you look at how adversaries are conducting their attacks, it's no longer about malware. In fact, according to data from our customer base, which was indexed by Threat Graph, 68 percent of the detections from the last three months weren't malware-based."