CrowdStrike on Tuesday released its annual Global Threat Report, and for the first time ever, the number of malware-free attacks that the company observed over the previous year exceeded actual malware-based attacks.
The cybersecurity firm, which won Best Security Company at the 2020 SC Awards last week during the RSA Conference, reports that 51 percent of attacks in 2019 used malware-free techniques, versus 49 percent that did rely on malware. By CrowdStrike’s definition, malware-less attack occurs when a file or fragment is never written to disk during the initial attack. Such instances include the use of fileless/in-memory malware or the abuse of legitimate software to compromise organizations, aka “living off the land.”
By leveraging such techniques, “…adversaries are findings ways to circumnavigate traditional controls — next-gen AV products as an example — and that’s where we see a lot of issues that lead to a breach,” said Michael Sentonas, CTO at CrowdStrike in a video interview with SC Media during the RSA show.
In 2018, only 40 percent of attacks registered by CrowdStrike were malware-free.
North America in particular experienced a significant jump in malware-free attacks in 2019, with fewer than 30 percent of attacks actually involving malware written to disk.
The 2020 CrowdStrike Global Threat Report also warns that China and North Korea have been targeting the telecommunications industry with increased frequency, with the former seeking to steal intellectual property and gain competitive intelligence. China also continues to focus on supply chain compromises, the report notes. Such behavior has already pushed federal lawmakers to ban U.S. government agencies and employees from using Chinese telecom company and 5G leader Huawei.
Additionally, the U.S. earlier this month unveiled an indictment against four members of the Chinese People’s Liberation Army for allegedly hacking Equifax in 2017. “…[W]e’ve now got a nation-state that’s focusing on getting U.S. citizen data. And you can imagine… the goal would be to put pressure on certain people…” said Santonis, adding that the indictment — provided the allegations are true — is a “good step toward demonstrating that this is not okay…”
To combat these and other threats, and to stop attacks from spreading past an initial point of compromise, CrowdStrike in its report recommends that user organizations adopt the “1-10-60 rule”: They must detect intrusions in under one minute, investigate incidents in 10 minutes or less, and contain and eliminate the adversary in under an hour.
In his interview, Sentonas also provided perspective on how CrowdStrike has pushed on with its mission to combat cyber threats, despite being subjected to false conspiracy theories and political attacks related to its investigation into the 2016 Russian hack of the Democratic National Committee. “Nothing’s really changed for us. We focus on our customers, we focus on stopping breaches,” he said.