Skip to main content
close search
site logo
Dive Brief

Threat actors abuse valid accounts using manual tactics, CrowdStrike says

The research underscores the outsized role and prevalence of legitimate credentials as an entry point for cyberattacks.

Published Aug. 8, 2023
Matt Kapko's headshot
Senior Reporter
CrowdStrike booth at RSA Conference in San Francisco.
RSA Conference attendees mingle at CrowdStrike's booth at the Moscone Center on April 27, 2023 in San Francisco. Matt Kapko/Cybersecurity Dive

Dive Brief:

  • Threat actors are spurning the rise of automation and using manual tactics to intrude organizations’ networks and rapidly access sensitive data, according to CrowdStrike’s 2023 Threat Hunting Report released Tuesday.
  • Attacks that use hands-on-keyboard activity, which CrowdStrike refers to as interactive intrusions, jumped 40% between July 1, 2022 and June 30, 2023, the research found. Threat actors used valid account credentials to initiate more than 3 in 5 of these attacks.
  • The technology sector remained the vertical most-frequently targeted by hands-on-keyboard attacks for the sixth-consecutive year. Attacks targeting the financial services industry jumped 80%, making it the second-most targeted vertical, followed by the retail, healthcare and telecommunications sectors, according to CrowdStrike.

Dive Insight:

The research underscores the outsized role and prevalence of valid account credentials as an entry point for cyberattacks. 

Threat actors used compromised identities in 4 in 5 of all breaches studied by CrowdStrike during the one-year period ending June 30. More than one-third of interactive intrusions involved the use of domain accounts or default accounts, the research found.

Cybercriminals are using trusted accounts to break into systems, elevate privileges and evade detection, the security vendor and incident response firm said in the report. 

“The concerning ease with which adversaries can gain initial access — often simply through purchases — blurs the distinction between legitimate users and impostors,” CrowdStrike said.

Threat actors are primarily using valid account credentials to attack critical infrastructure networks and state and local agencies, too. Valid account compromises accounted for 54% of all attacks studied by the Cybersecurity and Infrastructure Security Agency’s annual risk and vulnerability assessment released last month.

These manual-based attacks are getting faster, reaching an all-time record speed of 79 minutes on average, besting the previous record of 84 minutes in 2022. CrowdStrike said it observed one breakout time of just seven minutes.

Threat actors aren’t just relying on compromised valid credentials in identity-based attacks, but rather abusing other forms of identity and authentication as they improve phishing tactics and social engineering techniques to target more potential victims.

CrowdStrike reported a 160% annual increase in threat actors’ attempts to access secret keys and other credentials via cloud instance metadata APIs.

“When we talk about stopping breaches, we cannot ignore the undeniable fact that adversaries are getting faster and they are employing tactics intentionally designed to evade traditional detection methods,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said in a statement.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell