CrowdStrike’s 2018 Mid-Year Review

During the past week CrowdStrike published its 2018 Mid-Year Review call “Observation from the front lines of threat hunting“. This report provides insights, trends and details on today’s most sophisticated cyber attacks observed by CrowdStrike Falcon OverWatch team.

Some interesting points of the report include:

  • Crowdstrike provides a useful heatmap that shows the number of intrusion cases attributed to an adversary by industry vertical.

Screen Shot 2018-10-11 at 20.16.11

  • Observed intrusions mapped to MITRE ATT&CK framework (H1 2018)

Screen Shot 2018-10-11 at 20.16.37Screen Shot 2018-10-11 at 20.16.49

  • E-crime actors show increasing interest in cryptocurrency mining. Actors also employed techniques that allowed them to perform extensive lateral movement (via PsExec), creating as large a foothold as they could to commandeer mining resources.

Screen Shot 2018-10-13 at 10.25.34

  • Crowdstrike highlighted the blurring of lines between the TTPs of highly skilled nation-state adversaries and their criminally motivated counterparts. One specific manner in which this recurring trend was observed was with the malicious use of TeamViewer software.
  • Actors also use a variety of defense evasion techniques as shown below:

Screen Shot 2018-10-13 at 10.27.57

  • Observed trend of threat actors gaining access via RDP by leveraging valid credentials. This is also observed by FBI and DHS that released a joint report called: “CYBER ACTORS INCREASINGLY EXPLOIT THE REMOTE DESKTOP PROTOCOL TO CONDUCT MALICIOUS ACTIVITY” .
  • Actors steal credentials employing several TTPs: Kerberoasting, credential dumping and through GPP files.

Enjoy and thanks to CrowdStrike for the insightful report!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.