Analyzing Threat Reports with Fabric

We’ve just added a new Pattern to fabric.

It’s called analyze_threat_report, and it’s designed to extract all the most valuable parts of a cybersecurity threat report like the DBIR report, Crowdstrike, Blackberry, etc.

ONE-SENTENCE-SUMMARY:

The 2024 CrowdStrike Global Threat Report highlights the accelerated pace and sophistication of cyberattacks, emphasizing the critical need for advanced, AI-driven cybersecurity measures in the face of evolving threats.

TRENDS:

- Generative AI lowers the entry barrier for cyberattacks, enabling more sophisticated threats.

- Identity-based attacks and social engineering are increasingly central to adversaries' strategies.

- Cloud environments are under greater threat as adversaries advance their capabilities.

- The use of legitimate tools by attackers complicates the detection of malicious activities.

- A significant rise in supply chain attacks, exploiting trusted software for maximum impact.

- The potential targeting of global elections by adversaries to influence geopolitics.

- The emergence of 34 new adversaries, including a newly tracked Egypt-based adversary, WATCHFUL SPHINX.

- A 60% increase in interactive intrusion campaigns observed, with technology sectors being the primary target.

- A notable rise in ransomware and data-theft extortion activities, with a 76% increase in victims named on dedicated leak sites.

- North Korean adversaries focus on financial gain through cryptocurrency theft and intelligence collection.

- Stealth tactics are increasingly employed to evade detection and move laterally within networks.

- Access brokers play a crucial role in providing initial access to eCrime threat actors.

- A shift towards ransomware-free data leak operations among big game hunting adversaries.

- The growing use of cloud-conscious techniques by adversaries to exploit cloud vulnerabilities.

- An increase in the use of legitimate remote monitoring and management tools by eCrime actors.

- The persistence of access brokers in facilitating cyberattacks through advertised accesses.

- Law enforcement's increased focus on disrupting big game hunting operations and their supporting infrastructure.

- The rise of macOS malware variants targeting information stealers to expand eCrime profit opportunities.

- The adaptation of malware delivery techniques following patches for Mark-of-the-Web bypass vulnerabilities.

STATISTICS:

- Cloud-conscious cases increased by 110% year over year (YoY).

- A 76% YoY increase in victims named on eCrime dedicated leak sites.

- 34 new adversaries tracked by CrowdStrike, raising the total to 232.

- Cloud environment intrusions increased by 75% YoY.

- 84% of adversary-attributed cloud-conscious intrusions were focused on eCrime.

- A 60% year-over-year increase in the number of interactive intrusion campaigns observed.

- The average breakout time for interactive eCrime intrusion activity decreased from 84 minutes in 2022 to 62 minutes in 2023.

- The number of accesses advertised by access brokers increased by almost 20% compared to 2022.

- A 583% increase in Kerberoasting attacks in 2023.

QUOTES:

- "You don’t have a malware problem, you have an adversary problem."

- "The speed and ferocity of cyberattacks continue to accelerate."

- "Generative AI has the potential to lower the barrier of entry for low-skilled adversaries."

- "Identity-based attacks take center stage."

- "We are entering an era of a cyber arms race where AI will amplify the impact."

- "The continued exploitation of stolen identity credentials."

- "The growing menace of supply chain attacks."

- "Adversaries are advancing their capabilities to exploit the cloud."

- "The use of legitimate tools to execute an attack impedes the ability to differentiate between normal activity and a breach."

- "Organizations must prioritize protecting identities in 2024."

REFERENCES:

- CrowdStrike Falcon® XDR platform

- CrowdStrike Counter Adversary Operations (CAO)

- CrowdStrike Falcon® Intelligence

- CrowdStrike® Falcon OverWatchTM

- Microsoft Outlook (CVE-2023-23397)

- Azure Key Vault

- CrowdStrike Falcon® Identity Threat Protection

- CrowdStrike Falcon® Fusion Playbooks

- CrowdStrike Falcon® Adversary OverwatchTM

- CrowdStrike Falcon® Adversary Intelligence

- CrowdStrike Falcon® Adversary Hunter

RECOMMENDATIONS:

- Implement phishing-resistant multifactor authentication and extend it to legacy systems and protocols.

- Educate teams on social engineering and implement technology that can detect and correlate threats across identity, endpoint, and cloud environments.

- Implement cloud-native application protection platforms (CNAPPs) for full cloud visibility, including into applications and APIs.

- Gain visibility across the most critical areas of enterprise risk, including identity, cloud, endpoint, and data protection telemetry.

- Drive efficiency by using tools that unify threat detection, investigation, and response in one platform for unrivaled efficiency and speed.

- Build a cybersecurity culture with user awareness programs to combat phishing and related social engineering techniques.

ONE-SENTENCE-SUMMARY:

The 2024 CrowdStrike Global Threat Report highlights the escalating cyber threats, emphasizing the rise of identity-based attacks, cloud exploitation, and the strategic use of generative AI by adversaries, underscoring the urgent need for advanced cybersecurity measures.

TRENDS:

- Identity-based attacks are increasingly central to adversaries' strategies.

- Generative AI lowers the entry barrier for sophisticated cyberattacks.

- Cloud environments are becoming prime targets for exploitation.

- The use of legitimate tools by attackers complicates breach detection.

- A significant increase in supply chain attacks maximizes attack ROI.

- Adversaries are focusing on elections as high-value targets.

- The proliferation of malware-free attacks continues to rise.

- Access brokers are playing a crucial role in facilitating cyberattacks.

- Social engineering tactics are becoming more sophisticated.

- The cybersecurity landscape is witnessing a shift towards AI-native platforms.

- The convergence of data, cybersecurity, and IT is driving innovation in threat intelligence.

- The global threat landscape is experiencing a surge in interactive intrusion campaigns.

- Ransomware remains a preferred tool for big game hunting adversaries.

- The technology sector is the most targeted industry for cyberattacks.

- Breakout time for intrusions is decreasing, emphasizing the need for rapid response.

- Cyber operations focus on disruption and influence in geopolitical conflicts.

- The rise of cloud-conscious adversaries indicates a shift in attack methodologies.

- Third-party relationship exploitation is becoming a common attack vector.

- Vulnerability exploitation is moving towards "under the radar" targets.

- The eCrime landscape is evolving with new monetization routes and techniques.

- Law enforcement actions against cybercriminals are increasing but face challenges.

STATISTICS:

- Cloud-conscious cases increased by 110% year over year (YoY).

- 76% YoY increase in victims named on eCrime dedicated leak sites.

- 34 new adversaries tracked by CrowdStrike, raising the total to 232.

- Cloud environment intrusions increased by 75% YoY.

- 84% of adversary-attributed cloud-conscious intrusions were focused on eCrime.

- A 60% year-over-year increase in the number of interactive intrusion campaigns.

- The average breakout time for interactive eCrime intrusion activity decreased from 84 minutes in 2022 to 62 minutes in 2023.

- Access brokers advertised accesses increased by 20% from 2022.

QUOTES:

- "You don’t have a malware problem, you have an adversary problem."

- "Data-theft extortion continues to be an attractive — and often easier — monetization route."

- "Over the course of 2023, CrowdStrike CAO introduced 34 new adversaries."

- "The CrowdStrike CAO team puts rapid insights into the hands of front-line teams."

- "Generative AI has massively democratized computing to improve adversary operations."

- "In 2024, individuals from 55 countries representing more than 42% of the global population will participate in elections."

- "The record number of victims named on DLSs throughout 2023 demonstrates BGH’s status as the current most significant eCrime threat."

- "Access brokers continued to profit from providing initial access to a variety of eCrime threat actors in 2023."

REFERENCES:

- CrowdStrike Falcon® XDR platform

- CrowdStrike Counter Adversary Operations (CAO)

- Microsoft Outlook CVE-2023-23397

- CrowdStrike Falcon® Intelligence

- CrowdStrike® Falcon OverWatchTM

- MITRE ATT&CK® enterprise tactics

- Azure Key Vault

- CrowdStrike Falcon® Identity Threat Protection

- CrowdStrike Falcon® Fusion Playbooks

- CrowdStrike Falcon® Adversary OverwatchTM

RECOMMENDATIONS:

- Prioritize identity protection and implement phishing-resistant multifactor authentication.

- Adopt cloud-native application protection platforms (CNAPPs) for comprehensive cloud security.

- Ensure visibility across endpoints, identity, cloud, and data protection telemetry to detect breaches effectively.

- Accelerate response times to match or exceed adversary speed using AI-native platforms and managed detection and response services.

- Foster a cybersecurity culture with user awareness programs and regular security practice exercises.

To use this, and all the other Patterns in Fabric, head over to the project page.