Press release
CrowdStrike 2023 Threat Hunting Report Reveals Identity-Based Attacks and Hands-on-Keyboard Activity on the Rise as Adversaries Look to Bypass Defenses
A 583 percent increase in Kerberoasting identity attacks and 3x spike in malicious use of legitimate RMM tools take center stage, while adversary breakout
About this update from Crowdstrike Holdings, Inc.
[{"type":"text","content":"\nA 583 percent increase in Kerberoasting identity attacks and 3x spike in malicious use of legitimate RMM tools take center stage, while adversary breakout time hits a record low\n\n\n AUSTIN, Texas & LAS VEGAS--(BUSINESS WIRE)--\nBLACK HAT USA -- CrowdStrike (Nasdaq: CRWD), today announced the release of the CrowdStrike 2023 Threat Hunting Report. The company’s sixth annual edition of the report, which covers attack trends and adversary tradecraft observed by CrowdStrike’s elite threat hunters and intelligence analysts, revealed a massive increase in identity-based intrusions, growing expertise by adversaries targeting the cloud, a 3x spike in adversary use of legitimate remote monitoring and management (RMM) tools, and a record low in adversary breakout time.\n\n\nCovering adversary activity between July 2022 and June 2023, the report is the first to be published by CrowdStrike’s newly unveiled Counter Adversary Operations team, which was officially announced this week at Black Hat USA 2023.\n\n\nKey findings from the report include:\n\n\n\n583% increase in Kerberoasting identity attacks highlight massive escalation in identity-based intrusions: CrowdStrike found an alarming nearly 6x year-over-year (YoY) spike in Kerberoasting attacks, a technique adversaries can abuse to obtain valid credentials for Microsoft Active Directory service accounts, often providing actors with higher privileges and allowing them to remain undetected in victim environments for longer periods of time. Overall, 62% of all interactive intrusions involved the abuse of valid accounts, while there was a 160% increase in attempts to gather secret keys and other credentials via cloud instance metadata APIs.\n\n\n\n312% YoY increase in adversaries leveraging legitimate RMM tools: Giving further credence to reports from CISA, adversaries are increasingly using legitimate and wellknown remote IT management applications to avoid detection and blend into the noise of the enterprise in order to access sensitive data, deploy ransomware or install more tailored follow-on tactics.\n\n\n\nAdversary breakout time hits an all time low of 79 minutes: The average time it takes an adversary to move laterally from initial compromise to other hosts in the victim environment fell from the previous all time low of 84 minutes in 2022 to a record 79 minutes in 2023. Additiona...