CrowdStrike Launches Managed Service Focused on Protecting Credentials – Source: securityboulevard.com

CrowdStrike this week added a managed service to disrupt the operations of cybercriminals that have evolved their tactics and techniques to focus on compromising credentials.

The CrowdStrike Counter Adversary Operations service extends the existing managed threat hunting service, dubbed CrowdStrike OverWatch, by using a combination of cybersecurity professionals that are augmented using artificial intelligence (AI) capabilities embedded within the Falcon portfolio of cybersecurity platforms.

Param Singh, vice president for OverWatch at CrowdStrike, said rather than focusing on malware that might be installed in an IT environment, the CrowdStrike Counter Adversary Operations service is more squarely focused on identifying cybercriminals that are using stolen credentials to steal data.

That shift in approach is partly driven by a shift in attack patterns. Cybercriminals are relying less on malware that can now be more readily detected and instead are stealing credentials to access systems. Once they gain access, those cybercriminals are careful not to engage in any overt activity that might be easily detected, he added.

They then proceed to “live off the land” and to surreptitiously exfiltrate data in a way that is difficult to detect without help from an AI platform that can analyze trillions of telemetry events. Cybersecurity analysts on their own are not as likely to identify the anomalous behavior, noted Singh.

A CrowdStrike report published this week highlights the extent of this challenge. There has been a 583% increase year-over-year in Kerberoasting identity attacks, a technique adversaries use to obtain valid credentials for Microsoft Active Directory service accounts. There has also been a 312% increase in instances where cybercriminals have compromised legitimate remote management and monitoring (RMM) tools to access IT environments.

In addition, there was a 160% increase in attempts to gather secret keys and other credentials via cloud metadata application programming interfaces (APIs).

Overall, 62% of all interactive intrusions involved the abuse of valid accounts, the report found.

Making matters even more challenging, the amount of time between when a cybercriminal compromised an IT environment and when they began to move laterally across an organization has now fallen to 79 minutes, on average, with seven minutes being recorded as the fastest break time.

Hopefully, as more organizations embrace zero-trust IT policies, the blast radius of any cyberattack that relied on compromised credentials will be contained more quickly. The challenge today is that too many end users have privileges that enable them to access enterprise applications and systems that they don’t really need.

In the meantime, however, cybersecurity may get worse simply because it’s too easy to identify and steal end users’ names and password combinations. In theory, multifactor authentication (MFA) would go a long way to reducing those risks, but the pace at which MFA is being adopted remains slow; it’s still too cumbersome to implement and manage.

One way or another, approaches to cybersecurity will need to change. In the absence of any meaningful visibility into what credentials might be compromised, far too many organizations don’t even know how much of their data has already been stolen.