Attackers Increasingly Focus on Business Disruption

Network intruders are staying undetected for an average of 95 days, enabling them to target critical systems and more completely disrupt business.

4 Min Read
Dark Reading logo in a gray background | Dark Reading

More cyberattackers are targeting large companies with stealthier attacks, aiming to significantly disrupt businesses and force them to pay higher ransoms, according to a report summarizing more than 300 breach investigations.

The "CrowdStrike Services Cyber Front Lines Report" found that 36% of incidents aimed to disrupt business or operations. While companies are getting better at detecting attacks using their own people and systems —79% of attackers were discovered internally, the highest rate in three years — the number of days attackers went undetected increased to 95, up from 85 days in 2018, CrowdStrike found.

The result is that malicious attackers have more time to attack operations and cause more disruption, says Thomas Etheridge, vce president of services at CrowdStrike.

"Not all of these threat actors are deploying ransomware, but they were really focused on disrupting the business' ability to perform business," he says. "That disruption was behind higher ransom amounts and the decision to often pay the ransom."

The report's findings highlight how last year's steady beat of ransomware headlines became a trend. From the coordinated attacks on Texas towns to a focus on local school districts, reports of ransomware attacks exploded in 2019. While successful attacks have decreased in number by some accounts, attackers are focusing on larger targets and threatening to do greater damage. Called "big-game hunting" by many firms, the revised strategy is about minimizing effort and maximizing the profit from criminal activity.

"That type of access that the attacker has, it really gives them the flexibility to understand where the critical data assets are, what approach they are going to take to encrypt those assets, where the backups are stored — and that really puts the customer at a disadvantage," Etheridge says.

While the increase in disruptive attacks is the main theme of CrowdStrike's report, a number of other trends are highlighted as a well. The company found, for example, that a legitimate tool for scanning Active Directory stores, known as Bloodhound, had been co-opted by attackers to speed their movement across networks. 

The company also urged companies to better secure their cloud services, especially infrastructure-as-a-service (IaaS) infrastructure. Attackers are already targeting API keys, which are used to allow programs to access and incorporate features from the cloud.

"Static keys pose a significant risk because they allow enduring access to large amounts of often sensitive data," the report states. "Instead, use ephemeral credentials for automated cloud activity and enforce the usage of these credentials only from authorized IP address space."

Finally, Macs are now on the menu for attackers, CrowdStrike says.

"The increasing popularity of macOS systems in organizations, combined with insufficient macOS endpoint management and monitoring, have made Macs lucrative targets for threat actors," the report states. "Once inside a victim environment, the Services team has observed threat actors leveraging legitimate user credentials and native macOS utilities to move laterally and persist there while evading detection."

In terms of disruptive attacks, the manufacturing sector found itself most often successfully targeted by ransomware and other business-disrupting malware, according to CrowdStrike's report. Healthcare had the second highest number of disruptive incidents, followed by government organizations and information-technology companies.

Attackers often used spear-phishing attacks for the initial compromise, the company found. In just over a third of cases (35%), spear-phishing e-mails or messages gave attackers initial access to the victim's systems. Attackers also sought out legitimate credentials to allow them to move around networks. Collecting credential dumps and attempting to discover accounts were the No. 1 and No. 3 attack techniques.

Companies that deploy a handful of defenses could fend off many of the attacks detected by CrowdStrike. Multifactor authentication on all public-facing portals, for example, will prevent attackers from gaining easy access through stolen credentials. Network segmentation helps prevent attackers from easily moving around a network following a compromise. 

"These methods can help organizations improve their security posture," Etheridge says. "Organziations are better able to self-detect the attackers in their environment, so we expect attackers to continue to use more stealthy techniques to increase their dwell time."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights