CrowdStrike today released its fourth annual Threat Hunting Report Nowhere to Hide: 2022 Falcon OverWatch Threat Hunting Report. The global report shows a record-breaking 50 percent year-over-year increase in hands-on attack attempts, as well as significant changes in attack trends and attackers’ modus operandi. The Falcon OverWatch Threat Hunter identified more than 77,000 potential attack attempts, which equates to approximately one attack attempt every seven minutes. These are cases where proactive, human-led threat hunting has uncovered attackers who have actively used malicious techniques at various stages of the attack chain. In doing so, they do everything they can to evade autonomous detection methods.

Falcon OverWatch calculated that the breakout time (i.e., the average time it takes an attacker to move from the initial compromise to other hosts within the victim environment) for eCrime attackers has dropped to 1 hour and 24 minutes, compared to 1 hour and 38 minutes that Falcon OverWatch was still using for the CrowdStrike Global Threat Report 2022 identified. In addition, the OverWatch team found that in about one-third (30%) of these eCrime attacks, the attacker was able to move laterally in less than 30 minutes. These findings underscore the speed and extent to which threat actors are evolving their tactics, techniques, and procedures (TTPs) and are able to circumvent even the most advanced technology-based defenses to successfully achieve their goals.

“Over the past 12 months, the world has faced new challenges triggered by economic pressures and geopolitical tensions, creating a threat landscape that is more complicated than ever before,” said Param Singh, vice president, Falcon OverWatch at CrowdStrike. “To thwart brazen threat actors, security teams must implement solutions that proactively scan for covert and advanced attacks at all hours of the day and night. Combining the CrowdStrike Falcon platform with the telemetry, tools, threat intelligence and human ingenuity of the Falcon OverWatch Threat Hunter protects organizations worldwide from the most sophisticated and hard-to-detect threats.”

Other key findings from the report include:

• eCrime is primarily responsible for interactive burglary campaigns. eCrime was responsible for 43 percent of interactive intrusions, while state actors accounted for 18 percent of activity. Hacktivists accounted for only one percent of interactive intrusion campaigns, while the remaining intrusions could not be attributed.
• Attackers are relying less and less on malware. Malware-free attacks accounted for 71 percent of all attacks carried out by the CrowdStrike Threat Graph indexed detections. The prevalence of malware-free attacks is related in part to the large-scale misuse of valid credentials by attackers to facilitate access to and retention in victim environments. Another factor is the speed at which new vulnerabilities are discovered and the speed at which attackers are able to implement exploits.
• The technology industry is the primary target industry for interactive attacks. The top five targeted industries are technology (19%), telecommunications (10%), manufacturing (7%), higher education (7%), and healthcare (7%). It is noteworthy that the technology industry was almost twice as likely to be the target of interactive intrusions as the second most targeted industry.
• The telecommunications sector is the most important industry for targeted attacks by state actors. The top five targeted industries are telecommunications (37%), technology (14%), government (9%), academia (5%), and media (4.5%). The telecommunications industry continues to be the target of state-sponsored surveillance, intelligence, and counterintelligence activities. In this context, the telecommunications industry experienced 163 percent more targeted interventions by state actors than the industry that was targeted second most often.
• Healthcare is in the crosshairs of Ransomware-as-a-Service (RaaS). The volume of attempted interactive attacks on healthcare has doubled from the previous year. The vast majority of these intrusions are attributed to eCrime.

The report covers the findings of Falcon OverWatch’s global threat hunting activities from July 1, 2021 to June 30, 2022, and includes detailed attack data and analysis, case studies, and actionable recommendations.