Analyzing Threat Reports with Fabric

We’ve just added a new Pattern to fabric.

It’s called analyze_threat_report, and it’s designed to extract all the most valuable parts of a cybersecurity threat report like the DBIR report, Crowdstrike, Blackberry, etc.

The output (from the Crowdstrike 2024 Global Threat Report)

ONE-SENTENCE-SUMMARY:

The 2024 CrowdStrike Global Threat Report highlights the accelerated pace and sophistication of cyberattacks, emphasizing the critical need for advanced, AI-driven cybersecurity measures in the face of evolving threats.

TRENDS:

- Generative AI lowers the entry barrier for cyberattacks, enabling more sophisticated threats.

- Identity-based attacks and social engineering are increasingly central to adversaries' strategies.

- Cloud environments are under greater threat as adversaries advance their capabilities.

- The use of legitimate tools by attackers complicates the detection of malicious activities.

- A significant rise in supply chain attacks, exploiting trusted software for maximum impact.

- The potential targeting of global elections by adversaries to influence geopolitics.

- The emergence of 34 new adversaries, including a newly tracked Egypt-based adversary, WATCHFUL SPHINX.

- A 60% increase in interactive intrusion campaigns observed, with technology sectors being the primary target.

- A notable rise in ransomware and data-theft extortion activities, with a 76% increase in victims named on dedicated leak sites.

- North Korean adversaries focus on financial gain through cryptocurrency theft and intelligence collection.

- Stealth tactics are increasingly employed to evade detection and move laterally within networks.

- Access brokers play a crucial role in providing initial access to eCrime threat actors.

- A shift towards ransomware-free data leak operations among big game hunting adversaries.

- The growing use of cloud-conscious techniques by adversaries to exploit cloud vulnerabilities.

- An increase in the use of legitimate remote monitoring and management tools by eCrime actors.

- The persistence of access brokers in facilitating cyberattacks through advertised accesses.

- Law enforcement's increased focus on disrupting big game hunting operations and their supporting infrastructure.

- The rise of macOS malware variants targeting information stealers to expand eCrime profit opportunities.

- The adaptation of malware delivery techniques following patches for Mark-of-the-Web bypass vulnerabilities.

STATISTICS:

- Cloud-conscious cases increased by 110% year over year (YoY).

- A 76% YoY increase in victims named on eCrime dedicated leak sites.

- 34 new adversaries tracked by CrowdStrike, raising the total to 232.

- Cloud environment intrusions increased by 75% YoY.

- 84% of adversary-attributed cloud-conscious intrusions were focused on eCrime.

- A 60% year-over-year increase in the number of interactive intrusion campaigns observed.

- The average breakout time for interactive eCrime intrusion activity decreased from 84 minutes in 2022 to 62 minutes in 2023.

- The number of accesses advertised by access brokers increased by almost 20% compared to 2022.

- A 583% increase in Kerberoasting attacks in 2023.

QUOTES:

- "You don’t have a malware problem, you have an adversary problem."

- "The speed and ferocity of cyberattacks continue to accelerate."

- "Generative AI has the potential to lower the barrier of entry for low-skilled adversaries."

- "Identity-based attacks take center stage."

- "We are entering an era of a cyber arms race where AI will amplify the impact."

- "The continued exploitation of stolen identity credentials."

- "The growing menace of supply chain attacks."

- "Adversaries are advancing their capabilities to exploit the cloud."

- "The use of legitimate tools to execute an attack impedes the ability to differentiate between normal activity and a breach."

- "Organizations must prioritize protecting identities in 2024."

REFERENCES:

- CrowdStrike Falcon® XDR platform

- CrowdStrike Counter Adversary Operations (CAO)

- CrowdStrike Falcon® Intelligence

- CrowdStrike® Falcon OverWatchTM

- Microsoft Outlook (CVE-2023-23397)

- Azure Key Vault

- CrowdStrike Falcon® Identity Threat Protection

- CrowdStrike Falcon® Fusion Playbooks

- CrowdStrike Falcon® Adversary OverwatchTM

- CrowdStrike Falcon® Adversary Intelligence

- CrowdStrike Falcon® Adversary Hunter

RECOMMENDATIONS:

- Implement phishing-resistant multifactor authentication and extend it to legacy systems and protocols.

- Educate teams on social engineering and implement technology that can detect and correlate threats across identity, endpoint, and cloud environments.

- Implement cloud-native application protection platforms (CNAPPs) for full cloud visibility, including into applications and APIs.

- Gain visibility across the most critical areas of enterprise risk, including identity, cloud, endpoint, and data protection telemetry.

- Drive efficiency by using tools that unify threat detection, investigation, and response in one platform for unrivaled efficiency and speed.

- Build a cybersecurity culture with user awareness programs to combat phishing and related social engineering techniques.

The project

To use this, and all the other Patterns in Fabric, head over to the project page.

And here’s the specific Pattern. analyze_threat_report.