Cyber criminals are speeding up as new security research shows faster turnaround on system breaches, more attacks in the financial and tech sectors, and increased targeting of the Asia-Pacific region
Year-on-year, global and domestic cyber crime increases in both volume and financial yield for online criminals, but new research from cyber security company CrowdStrike suggests attackers are not only more prevalent, but are also optimising their craft.
Based on insights from the company’s threat hunting team, the CrowdStrike 2023 Threat Hunting Report showed cyber criminals are getting faster at breaching victims’ systems, with a record low “breakout time” for attacks during financial year 2023.
The average breakout time – that is, the average time it takes for a threat actor to move from an initial compromise to other hosts in a victim environment – fell from 84 minutes in 2022 to a record 79 minutes in 2023.
Furthermore, the fastest breakout time of the year was recorded at only seven minutes – about the time it takes to make a coffee.
“When we talk about stopping breaches, we cannot ignore the undeniable fact that adversaries are getting faster and they are employing tactics intentionally designed to evade traditional detection methods,” said Adam Meyers, head of Counter Adversary Operations at CrowdStrike.
“Security leaders need to ask their teams if they have the solutions required to stop lateral movement from an adversary in just seven minutes.”
The report focuses on interactive intrusion activity, a form of cyber crime where threat actors use “hands-on-keyboard techniques” to actively interact and execute actions in a victim environment.
Moving freely through a target environment is no small feat, especially at breakneck speeds, but CrowdStrike noted many threat actors are simply working with compromised identity data such as credentials, account data and system permissions.
“The abuse of identity, particularly when coupled with creative defence evasion methodologies, enables adversaries to hide in plain sight,” said CrowdStrike.
According to the report, 80 per cent of breaches use compromised identities.
Notably, only 14 per cent of intrusions where valid accounts were misused involved brute-force methods, and over half of the remaining 86 per cent originated from a system external to the organisation.
This suggests compromised accounts were likely obtained through human-centric measures such as phishing, credential harvesting or simple password reuse.
The report pointed to a case where a victim organisation accidentally published root credentials to software development platform GitHub.
Within seconds, multiple threat actors attempted to use the compromised credentials, suggesting threat actors also achieve their high-speed attacks by using automated tools to monitor services such as GitHub for leaked credentials.
Australia targeted – cyber coordinator calls for change
Earlier this week at the CrowdStrike Threat Summit in Brisbane, the recently appointed National Cyber Security Coordinator Darren Goldie called for a “need to make cyber security a more integrated part of organisational and personal security”.
“The human element is routinely found to be the weakest link in our cyber security defences,” said Goldie.
“Weak passwords, careless clicking and other human online behaviours point to a widespread naivety and indifference to the threats posed by cyber criminals.
“We need to change our cyber culture as a nation,” he added.
These comments arrive alongside CrowdStrike findings that China-based cyber adversaries are targeting the Asia Pacific and Japan (APJ) more heavily than other regions – with 14 sectors targeted in the APJ compared to only six in the Americas and two in Europe, the Middle East, and Africa.
For Australia, China has been a growing point of concern after it was suspected for a 2019 attack on Parliament’s IT network.
Since then, a 2022 discovery revealed a Chinese government-affiliated hacking group had been targeting Australian military, government and public health organisations with malware, and the Australian government more recently banned social media app TikTok on employees’ phones over fears of data being accessible to Chinese authorities.
Globally, CrowdStrike reports financial service firms suffered an 80 per cent increase in cyber attacks, while in the APJ region technology companies were the most targeted of the 2023 financial year, attracting 26 per cent of all attacks.
Following were telcos at 12 per cent – as seen during the landmark 2022 breach at Optus and multiple, quieter breaches at Telstra – then retail (11 per cent), financial services (8 per cent) and manufacturing (7 per cent).
Increased targeting of critical infrastructure has further led the Australian government to bolster critical asset risk management via a series of amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act), expanding which sectors fall under critical infrastructure requirements and narrowing the time frame for organisations to report a cyber incident.
“A cyber security incident affecting our critical infrastructure has the potential to be devastating,” said Goldie.
“Collectively we need to be a hard target.”