Elastic released the
2022 Elastic Global Threat Report,
detailing the evolving nature of cybersecurity threats, as well as the
increased sophistication of cloud and endpoint-related attacks.
The identified trends provide organizations with the operational
intelligence needed to fortify their security technology and the
strategies required to observe and protect mission-critical business
systems against cyber threats. This report is produced by Elastic Security Labs,
the company's threat research, malware analysis, and detection
engineering team, and compiled using telemetry from worldwide
deployments of Elastic Security from August 2021 to August 2022.
Key trends covered in the report include:
Human error poses the greatest risk to cloud security as users overestimate the security of their cloud deployments
Nearly 1 in 3 (33%) attacks in the cloud leverage credential access,
indicating that users often overestimate the security of their cloud
environments and consequently fail to configure and protect them
adequately.
Additional key cloud security findings:
-
Nearly 57% of cloud security telemetry came from AWS, followed by 22% for Google Cloud and 21% for Azure.
-
AWS: More than 74% of alerts related to credential access,
initial access, and persistence tactics, with nearly 57% of techniques
related to attempted application access token theft-one of the most
common forms of credential theft in the cloud.
-
Google Cloud: Nearly 54% of alerts related to service account
abuses, with 52% of techniques leveraging account manipulation and
indicating that service account compromise remains rampant when default
account credentials aren't changed.
-
Microsoft Azure: More than 96% of alerts related to
authentication events, with 57% of authentication events attempting to
retrieve OAUTH2 tokens.
-
58% of initial access attempts used a combination of traditional
brute-force attempts and previously-compromised password spraying.
Commercial software designed to help security teams is being used by threat actors to evade those same teams
While commercial adversary simulation software such as CobaltStrike
is helpful to many teams' defense of their environments, it is also
being used as a malicious tool for mass-malware implants. Elastic
Security Labs found that CobaltStrike was the most widespread malicious
binary or payload for Windows endpoints accounting for nearly 35% of all
detections, followed by AgentTesla at 25% and RedLineStealer at 10%.
Additional key malware findings:
-
More than 54% of all global malware infections were detected on Windows endpoints, while more than 39% were on Linux endpoints.
-
Nearly 81% of malware observed globally are trojan-based, followed by cryptominers at 11%.
-
MacKeeper ranked as the highest threat for macOS at nearly 48% of all
detections, with XCSSet in the second-place position at nearly 17%.
Endpoint attacks are becoming more diverse in efforts to bypass defenses
More than 50 endpoint infiltration techniques are being utilized by
threat actors, suggesting that endpoint security is working well, as its
sophistication requires threat actors to continually find new or novel
methods of attack to be successful.
Three MITRE ATT&CK® tactics represented 66% of all endpoint infiltration techniques:
-
A combined 74% of all defense evasion techniques consisted of
masquerading (44%) and system binary proxy execution (30%). This
indicates that in addition to bypassing security instrumentation,
defense evasion techniques also bypass visibility, resulting in longer
dwell times for threats.
-
59% of execution techniques related to command and native
scripting interpreters, followed by 40% attributed to Windows Management
Instrumentation abuses, indicating that adversaries abuse PowerShell,
Windows Script Host, and Windows shortcut files to execute commands,
scripts, or binaries.
-
Nearly 77% of all credential access techniques are attributed to
OS credential dumping with commonly known utilities. This follows the
trend of adversaries relying on valid accounts to draw less suspicion of
administrators in hybrid-based deployment environments between
on-premise hosting and Cloud Service Providers.
While credential access techniques have long been a priority for
attackers, adversary investment in defense evasion techniques indicates a
reaction to improvements in security technologies that have been
impacting their success. When combined with execution techniques,
attackers are able to bypass advanced endpoint controls while remaining
undetected within organizations' environments.
"To effectively prevent cybersecurity threats, organizations need more
than just great security software-they need a program that extends to
shared insights and best practices and a community focused on security
data intelligence to extend the value of that product for customers,"
said
Ken Exner, Chief Product Officer, Elastic. "The 2022 Elastic
Global Threat Report is an important part of our holistic security
program offering, and we are excited to share our visibility,
capability, and expertise with the broader community."
View the full findings of the
2022 Elastic Global Threat Report