Enterprises monitored by CrowdStrike\u2019s Falcon OverWatch threat hunters faced 77,000 attempts of hands-on, interactive intrusions, or approximately one potential intrusion every seven minutes, between July 1, 2021, and June 30, 2022\u2014a 50% year-over-year increase, according to a new report from the cybersecurity company.Breakout time, or the time an adversary takes to move laterally from an initially compromised host to another host within the victim\u2019s environment, fell to one hour and 24 minutes compared to one hour and 38 minutes during the year-earlier period, demonstrating that adversaries continue to sharpen their tradecraft, according to CrowdStrike.\u00a0The CrowdStrike research defines interactive intrusion activity as those malicious activities that involve the use of hands-on keyboard techniques, where an adversary is actively interacting with and executing actions on a host in pursuit of their objectives. The term e-crime is the designation that CrowdStrike gives to the malicious intrusion activity that is criminally motivated.\u201cThis type of activity is most commonly characterized as intrusions where adversaries are pursuing financially driven objectives, ransomware, of course, being the most prolific example,\u201d said Nick Lowe, director for Falcon OverWatch at CrowdStrike.The number of interactive intrusions has risen along with an increase in the number of zero-day vulnerabilities and Common Vulnerabilities and Exposures (CVEs). As of Sept. 1, 2022, there were 13,000 new vulnerabilities disclosed for the year compared to 20,000 publicly disclosed vulnerabilities in all of 2021, noted Overwatch.Overwatch focuses its hunting operations on post-exploitation behaviors rather than on specific common vulnerabilities and exposures (CVE), Lowe said. \u201cThis approach is critical when one considers those volumes of disclosed vulnerabilities along with some of the observed trends that we see, including exploit chaining, where adversaries are combining multiple discrete series to reach their objectives,\u201d he said.\u00a0\u00a0Adversaries are quick to develop working proof of concepts for newly disclosed vulnerabilities. Zero day vulnerabilities continue to be a big problem for defenders, particularly those who are focused on individual CVEs, which necessitates the requirement for proactive threat hunting as a means to be able to identify and disrupt as yet unknown malicious activity, Lowe said.\u00a0Hackers continuously refine tools, techniquesMalicious actors are continually looking for new tools, according to the CrowdStrike research. Cobalt Strike, for example, is an extremely powerful and robust penetration-testing tool that has been adopted by e-crime actors, who leverage both legitimate licenses and pirated copies of the software.\u201cAdversaries continue to leverage the tool due to its broad feature set and ability to generate command-and-control (C2) implants that are difficult to detect. Cobalt Strike is the gold standard for adversaries and continue to receive regular updates to combat new defenses and detection methods,\u201d CrowdStrike noted in the report.Adversaries also continue to innovate their tactics to remain under the radar and find new attack vectors as defenders close off old ones. For example, the CrowdStrike researchers observed an increase in phishing attacks using ISO files for delivery of malicious software, in the wake of Microsoft's move to disable internet-enabled macros by default in Office documents.An ISO file is an exact copy of an entire optical disk such as a CD, DVD, or Blu-ray, archived into a single file.\u201cWe are talking really about the abuse of ISO files; this sort of behavior is another example of the many ways in which adversaries are continuing to really adapt,\u201d Lowe said.It is essential that organizations combine their technology-based defenses with round-the-clock, human-led threat hunting, in order to make sure that they are best prepared to defend against evolving tradecraft, Lowe said.In addition to ISO files, researchers observed adversaries using .lnk (Windows shortcut files), .msi (installer files) and .xll (Excel add-in) files as well. \u201cAdversaries are diversifying their phishing toolkits with understanding that no one technique can be solely relied upon\u2014rather, multiple tools and techniques are necessary to ensure the best chance of gaining access to today\u2019s hardened environment,\u201d the report noted.Technology industry remains the top target The technology sector is a popular target for criminals and nation-state adversaries for the fourth year in a row.\u00a0\u201cSome of the motivating factors for targeted adversaries that are pursuing objectives against technology targets can include intelligence collections specifically strategic military, economic, or scientific collection requirements, along with attempts to compromise supply chains and trusted relationships,\u201d Lowe said.The technology sector is the top industry targeted by interactive intrusions, accounting for 19% of all such intrusions in the period studied, according to CrowdStrike.\u00a0Interactive intrusion activity against healthcare sector doubled during the period. Interactive activity against academic entities on the other hand increased by around 30% for the period.\u00a0Cloud under increasing risk of intrusion Meanwhile, there is a significant shift under way from on-premises to cloud-based services. Crucial elements of many business processes are on the cloud now, easing file sharing and workforce collaboration. These same services are increasingly abused by malicious actors, a trend that is likely to continue in the foreseeable future as more businesses seek hybrid work environments, according to new research by CrowdStrike.\u00a0\u201cWe continue to see increasing efforts on the part of adversaries to target cloud-based assets. So now more than ever, it\u2019s critical for organizations to deploy that mix of technology-based controls and human-led hunting to be best positioned to combat these evolving cloud threats,\u201d Lowe said. \u00a0To defend themselves, organizations must invest to learn to harden their defenses against cloud resources, and not assume the default security settings are the best settings for their organizations, according to CrowdStrike.