Nowhere to Hide: 2021 Threat Hunting Report

For yet another year, OverWatch disrupted a record number of interactive intrusion attempts by identifying malicious activity early and stopping adversaries in their tracks. This report shares insights from OverWatch’s around-the-clock threat hunting from July 1, 2020 through June 30, 2021. This year’s report starts with a close look at OverWatch’s extensive dataset covering observed interactive threat actor behaviors, which we will refer to in this report as “intrusion activity”. It uses this data to examine how threat actors are operating in victim environments, highlighting both rare and common techniques that adversaries are employing.

The mission of OverWatch is to augment the powerful autonomous protection of the Falcon platform with human expertise. With the combined power of human ingenuity and patent-protected work flows, OverWatch systematically sifts through 1 trillion daily events to find potential hands-on intrusions, on average 1 every 8 minutes. OverWatch operates with speed and at scale to notify victim organizations of malicious activity in near real time, ensuring intrusion attempts that incorporate novel tradecraft are identified and disrupted before the breach.

Key findings from this year’s report include:

• OverWatch has tracked a 60% increase in interactive intrusion activity in the past year. The threat of hands-on intrusion activity remains very real — OverWatch has observed and disrupted intrusions spanning all industry verticals and geographic regions.
• Adversaries have moved beyond malware. They are using increasingly sophisticated and stealthy techniques tailor-made to evade autonomous detections — of all of the detections indexed by CrowdStrike Threat Graph® in the past three months, 68% were malware-free.
• ECrime continues to dominate the threat landscape, making up 75% of interactive intrusion activity. One driver of this has been the continually evolving big game hunting (BGH) business model, which has seen the widespread adoption of both the use of access brokers to facilitate access, and the use of dedicated leak sites to extract payment.
• ECrime adversaries are moving with increasing speed in pursuit of their objectives. OverWatch observations show they are capable of moving laterally within a victim environment in an average of 1 hour and 32 minutes.
• Targeted intrusion adversaries remain a prominent threat, particularly for the telecommunications industry. While organizations of all sizes and in all verticals have the potential to become a target, the telecommunications industry stood out this year, accounting for 40% of all state-nexus intrusion activity observed by OverWatch in the past 12 months.