5 Big CrowdStrike Updates On Threat Hunting And Intel

The company’s 2023 Threat Hunting Report reveals a surge in identity-based and RMM-driven cyberattacks, while CrowdStrike announced its new Counter Adversary Operations service.

Changing Threats

Cybersecurity giant CrowdStrike is looking to remain at the forefront of helping to thwart evolving cyber threats, with a major new release of both threat intelligence and services Tuesday. As the Black Hat 2023 conference gets underway this week in Las Vegas, the announcements include the release of the CrowdStrike 2023 Threat Hunting Report and a significant expansion of the company’s threat hunting services.

[Related: CrowdStrike: More Cybercriminals Ditching Ransomware To Focus On Data Extortion]

CrowdStrike’s new threat hunting report captures how threats are continuing to adapt as traditional ransomware attacks become harder to succeed at, thanks in part to EDR (endpoint detection and response) technologies that CrowdStrike helped to pioneer and popularize. Meanwhile, the cybersecurity vendor also announced the introduction of an expanded threat hunting service, Counter Adversary Operations, as well as what the company is calling the first threat hunting offering focused on identity-based attacks.

Currently, “identity threats are No. 1,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said in an interview with CRN. “I think this is reflective of the fact that we’ve done a pretty good job on the endpoint side of things.”

Now, rather than working harder to be able to continue using the same endpoint-focused methods that have worked in the past, attackers are putting their energies into blending in — exploiting trusted identities and “living off the land” by compromising legitimate tools such as RMM (remote monitoring and management), according to Meyers. Threat actors are “moving increasingly to using compromised identities and living off the land to make it more difficult to detect what they’re up to,” he said.

What follows are five big CrowdStrike updates on threat intelligence and hunting.

Identity Attacks Surge

In CrowdStrike’s 2023 Threat Hunting Report, threat hunters reported a “massive escalation” in intrusions that exploited identity-based methods. Specifically, the report found a nearly 6X increase, year-over-year, in a type of attack known as Kerberoasting. The technique can be used to steal legitimate Active Directory credentials that allow for elevated privileges, which can be exploited by attackers to stay undetected in targeted environments. The CrowdStrike report also found that 62 percent of interactive intrusions included some abuse of valid, legitimate accounts. Additionally, the report found a 160 percent jump in attempts by attackers to obtain credentials such as secret keys from cloud metadata APIs.

RMM Abuse On The Rise

Malicious use of RMM (remote management tools) continues to pose a growing threat, with CrowdStrike’s 2023 Threat Hunting Report reporting a 312-percent jump in abuse of RMM platforms by attackers, year-over-year. Notably, 14 percent of interactive intrusions tracked by CrowdStrike threat hunters utilized RMM tools, according to the report. “Rather than deploying tools that are going to trip the EDR, they’re going to use an RMM tool, because those are tools that are less alerting to the security team,” CrowdStrike’s Meyers told CRN. “Many organizations use them internally already. It’s how they blend in and hide better. The whole goal is to create more space to operate and a longer time to operate. And this is how they do that.”

Ultimately, “the longer they can go undetected, the more data they can steal and the more opportunity they have to do data extortion or accomplish whatever their goal is,” he said.

Counter Adversary Operations

In tandem with the new threat hunting report, CrowdStrike announced the formation of its Counter Adversary Operations unit, which combines the company’s Falcon OverWatch managed threat hunting service with its Falcon Intelligence offering. The operation, led by Meyers, “gives us the ability to really link together intelligence and hunting and action it much faster,” he told CRN. By bringing those two sides together, it enables CrowdStrike to “really create a disruptive environment where we raise the cost for the adversary and make it difficult for them to operate,” Meyers said. CrowdStrike’s 2023 Threat Hunting Report is the first report published by the Counter Adversary Operations unit, the company said.

Identity Threat Hunting

The first new combined offering from CrowdStrike’s Counter Adversary Operations team is Identity Threat Hunting, the company announced Tuesday. The service is available now, at no cost, for users of the CrowdStrike Falcon OverWatch Elite offering. The service takes what CrowdStrike’s OverWatch team has been doing around threat hunting on the endpoint layer, and bringing that to identity-based threats — the first identity-focused threat hunting offering to date, according to Meyers. The service is “using the same intelligence and know-how that we have developed on the threat hunting side to go after identity-based threats,” he said. Key focus areas of the service will include preventing lateral movement and earlier detection of credentials that have been compromised, according to CrowdStrike.

Organizations ’Need To Be Nimble’

The evolution of attacker techniques to focus on identities and legitimate tools means that organizations must also be willing to adapt in response, Meyers told CRN. “As enterprises are changing their security posture and investing in different technologies, adversaries aren’t trying to get past them — they’re trying to go around them. They’re trying to find different ways to out-maneuver them,” he said. “And so organizations need to be nimble. And we think that our combination of human analytics, our threat hunting, and our threat intelligence are really helping to differentiate organizations that [are using CrowdStrike’s offerings] from those that are not.”