Improving readiness for ransomware

The CrowdStrike Services Cyber Front Lines Report brings together the insights and observations of dedicated CrowdStrike team members from all corners of the globe, who work tirelessly to help organizations defend against and recover from intrusions every day.

Not only does the report provide a clear picture of how adversaries are adapting to today’s realities, it also includes concrete recommendations that you can implement in your organization today to improve your cybersecurity readiness.

The findings and trends in this report are derived from data points and insights collected from a wide variety of incident response (IR) engagements and proactive services activities over the past 12 months.

Key findings from these metrics include:

Financially motivated attacks represented 63% of CrowdStrike Services cases over the past year, with 81% of financially motivated attacks involving the deployment of ransomware or a precursor to ransomware activities.

In at least 30% of incident response engagements, CrowdStrike observed the organization’s antivirus solutions were either incorrectly configured with weak prevention settings or not fully deployed across the environment, which may have been a factor in the threat actor gaining and maintaining access.

The Services team looked at organizations that experienced an intrusion and then leveraged CrowdStrike to manage their endpoint protection and remediation efforts moving forward. CrowdStrike identified that 68% of those organizations experienced another intrusion attempt, which was prevented.

Rather than thinking of intrusion response as a one-off emergency activity, mature organizations plan for real-time, continuous monitoring and response.

CrowdStrike’s Falcon Complete managed service offering reduced the average time to detect, investigate and remediate from a total of 162 hours — nearly seven days — to less than one hour for customers.

Outside counsel retained CrowdStrike to advise its clients in 49% of the incidents investigated in 2020.

In addition to these findings, CrowdStrike’s incident responders identified a number of key themes in 2020. Organizations should be mindful of the following:

Networks around the world were turned inside out as office workers became remote workers, with dramatic effects on how attackers target organizations and how defenders must react.

Not content with just encrypting data for extortion, eCrime actors are increasingly destroying and/or threatening to leak data, as they target ever-larger ransom payments.

The global pandemic accelerated digital transformation - including cloud adoption - for many organizations, and attackers took advantage of this attack surface.

Defending the cloud requires additional planning and focus beyond traditional on-premises networks.

CrowdStrike observed significant increases in attackers targeting public-facing applications and services in 2020. Defenders must continue to be vigilant to ensure no exterior gaps exist for an adversary to use as an initial foothold.

While eCrime actors got most of the headlines in 2020, state-sponsored adversaries remained active across a wide range of sectors. Detecting and stopping these sophisticated intrusions requires a well-coordinated and holistic response.

An intrusion can happen to any organization - how you respond and learn from prior incidents can make a significant difference on the impact of the next breach.

Organizations that heed the observations and recommendations in this report will see significant improvements in their ability to defend against many of the common types of attacks.

CrowdStrike is here to help, providing highly skilled cybersecurity professionals who partner with clients, ensuring that the adversaries are defeated and any damage is quickly remediated.

Click here to read the CrowdStrike Services Cyber Front Lines Report