Devon Kerr

Fall 2023 Global Threat Report Outro

This article highlights the essential contributions to the Global Threat Report from the Security Intelligence team, and describes three major phenomena impacting the threat landscape.

6 min readReports
Fall 2023 Global Threat Report Outro

After months of diligent work, Elastic Security Labs is excited to announce the publication of the October 2023 Global Threat Report. For our second annual publication of this kind, we knew it was going to be a greater effort– not only did the volume of events increase more than 1000%, we had entirely new types and depth of visibility from features released since our inaugural report.

It goes without saying (but let’s say it for good measure) that none of this would be possible without our users sharing more than one billion security events each year with us. And it certainly wouldn’t be possible without our Elastic colleagues who make our powerful world-spanning capability.

One essential contributor is the Threat Research and Detection Engineering team (TRaDE), who develop features like rules and investigation guides, and assigned the legendary Terrance DeJesus. Terrance was instrumental in creating the inaugural report, applying his cloud attack surface expertise and security operations experience to this process. Another crucial team is Security Data Analytics (SDA), which is responsible for all the systems that enable us to analyze telemetry. Chris Donaher leads SDA by day (also by night, technically), and helped us comb through hundreds of millions of events this year.

The work from these teams and the rest of Elastic Security Labs shows our commitment to providing security teams with actionable intelligence about threat phenomena so they can better prepare for, resist, and evict threats. By democratizing access to knowledge and resources, including publications like the Global Threat Report, we hope to demonstrate a more effective way to improve security outcomes. We’re more secure together and we can’t succeed without each other.

In our observations, we identified the following factors as reactions to security innovations that are making environments hostile to threats:

  • Heavy adversary investments in defense evasion like using built-in execution proxies to run malicious code, masquerading as legitimate software, and software supply-chain compromise
  • Significant research devoted to bypassing, tampering with, or disabling security instrumentation
  • Increased reliance on credential theft to enable business email and cloud-resource compromise, places where endpoint visibility is not generally available

Defense Evasion

During the development of our inaugural Global Threat Report last year, we were surprised to see how often adversaries used a defense evasion capability regardless of the industry or region they targeted. After analyzing events from thousands of different environments all over the world, we better understood that defense evasion was a reaction to the state of security. It was a trend we saw again this year, just one of several forces shaping the threat landscape today.

More than 43% of the techniques and procedures we observed this year were forms of defense evasion, with System Binary Proxy Execution representing almost half of those events. These utilities are present on all operating systems and facilitate code execution– some common examples include software that interprets scripts, launches DLLs, and executes web content.

Figure 1. Top defense evasion techniques
Figure 1. Top defense evasion techniques

BLISTER, which is a malware loader associated with financially-motivated intrusions, relied on the rundll32.exe proxy built into every version of Microsoft Windows to launch their backdoor this year. The BLISTER loader is a useful example because its authors invested a great deal of energy encrypting and obfuscating their malicious code inside a benign application. They fraudulently signed their “franken-payload” to ensure human and machine mitigations didn’t interfere.

Endpoint tampering

This year we also saw the popularity of Bring Your Own Vulnerable Driver (BYOVD), which was described by Gabe Landau in a recent publication and provides a way to load an exploitable driver on Windows systems. Drivers run with system-level privileges but what’s more interesting is how vulnerable drivers can be used to disable or tamper with security tools. It won’t be long before more adversaries pivot from using this capability to launch malware and instead use it to uninstall security sensors.

To see this in action, look no further than your friendly neighborhood ransomware-as-a-service ecosystem. SOCGHOLISH, the group associated with BLISTER coincidentally, is one of multitudes that grew out of startup digs and became a criminal enterprise. Most of the ransomware we see is related to these kinds of services– and even as one gets disrupted it seems another is always emerging to take its place.

Figure 2. Most frequently seen ransomware infections
Figure 2. Most frequently seen ransomware infections

This is, in a very literal sense, a human phenomenon. Threats that endure periods of security innovation and disruption seem to do so by learning not to be caught, and one strategy of mature threats is to move edge-ward to Internet-facing systems, network devices, appliances, or cloud platforms where visibility is less mature. Consider the cost and relative risk of the following options: develop a feature-rich multiplatform implant with purposeful capabilities or purchase account credentials from a broker.

Credential Access

Although only about 7% of the data we analyzed involved one form of credential theft or another, 80% of those leveraged built-in operating system features. With functioning stolen credentials, many threat groups can directly interact with an enterprise’s critical data to access email, steal intellectual property, or deploy cloud resources.

Figure 3. Commonly seen credential access techniques
Figure 3. Commonly seen credential access techniques

Abusing stolen credentials has more utility today than ever before, given the widespread adoption of cloud for storage, productivity, code management, and authentication to third party services. For those threats that prioritize a low profile over other goals, credential theft is a shortcut with low exposure.

Insights like these, and many others, can be found in the 2023 Global Threat Report along with forecasts and threat profiles. Elastic Security Labs shares malware research, tools, intelligence analyses, as well as detection science and machine learning/artificial intelligence research.

You can download the report or check out our other assets. Reach out to us on X and get a deeper dive on the GTR results with our webinar Prepare for tomorrow: Insights from the 2023 Elastic Global Threat Report.