The CrowdStrike Falcon OverWatch™ threat hunting team has been uncovering record volumes of hands-on intrusion attempts and tracking some marked changes in adversary tradecraft. This report shares insights from OverWatch’s around-the-clock threat hunting from July 1, 2021 through June 30, 2022.1
The findings and data in this report reflect observations derived from OverWatch’s global hunting activities.
In this 12-month period, OverWatch threat hunters directly identified more than 77,000 potential intrusions, or approximately one potential intrusion every seven minutes. This represents thousands of instances where human-driven hunting uncovered adversaries actively seeking to evade autonomous detection methods.
Crucially, OverWatch uses each of these potential intrusions as an opportunity to hone the Falcon platform’s ability to detect and prevent similar intrusions more quickly and autonomously. During the reporting period, threat hunters distilled their findings into the development of hundreds of new behavioral-based preventions, resulting in the Falcon platform’s direct prevention of over 1 million malicious events. These behavioral-based preventions enhance the Falcon platform’s power to
uncover novel adversary behavior with greater speed and scale.
This year’s report starts with a close look at OverWatch’s extensive dataset covering observed interactive threat actor behaviors, which we will refer to in this report as “intrusion activity.” It uses this data to examine how and where adversaries are operating to provide a comprehensive overview of the threat landscape.