The 2024 Elastic Global Threat Report: Visibility enhanced

Elastic Security Labs has released the 2024 Elastic Global Threat Report, surfacing the most pressing threats, trends, and recommendations to help keep organizations safe for the upcoming year. Threat actors are finding success from the use of offensive security tools (OSTs), a misconfiguration of cloud environments, and a growing emphasis on Credential Access. This report explores key telemetry from over a billion data points with emphasis on malware trends, adversary tactics, cloud security, and generative AI curated by Elastic Security Labs.

“Understanding the top techniques in the cloud is invaluable to a cloud native company like us,” said Raymond Schippers, the security engineering director for detection and response at Canva, “but we get the most value out of the threat profiles. Most vendors just release a name but having the diamond models helps us understand how you are attributing activity to an adversary. The Global Threat Report provides a great sanity check to ensure that our priorities are aligned with what adversary activity is occurring.”

Download the 2024 Elastic Global Threat Report to gain an in-depth understanding of the threat landscape.

Threat actors abuse these legitimate security tools, and security teams need to understand what malicious usage of these tools looks like. The better you understand OST capabilities, the better you’ll understand malware. 

For a deeper dive into how adversaries are abusing Cobalt Strike, check out Elastic Security Labs’ breakdown on REF0657 and the protections created for Elastic Security: Unmasking a Financial Services Intrusion. 

Since its debut, the debate around generative AI has been prevalent. Between the suite of defensive AI capabilities we’ve released and research we published back in May, Elastic is no stranger to this conversation either. A lot of organizations are falling victim to fear, and they ask us for our stance on the technology.

One of the most prevalent issues was around storage and is seen with nearly 47% of Microsoft Azure failures tied to storage accounts and 30% of Amazon Web Services (AWS) failures coming from S3 checks. Google Cloud users aren’t free from misconfigurations either with nearly 44% of failed checks coming from BigQuery — specifically a lack of customer managed encryption. 

Security teams must ensure that cloud resources are protected appropriately and audited regularly. One of the largest takeaways from the CSPM section is the fact that more than 50% of S3 checks that failed did so because of multifactor authentication misconfigurations:

While it can feel like a Herculean effort, it is crucial for security teams to remember that security tools must be tuned and audited regularly. The InfoSec team here at Elastic knows how difficult this is and have written a blog detailing how they rolled out organization-wide, phishing-resistant MFA. 

Accounting for 23.12% of all cloud behaviors, the prevalence of Credential Access is observed mostly in Microsoft Azure environments. Specifically, Elastic Security Labs observed a 12% increase in Brute Force techniques — making up almost 35% of all techniques in Microsoft Azure. 

Organizations must be aware of the increase in Brute Force attacks, an item seen multiple times in different environments throughout our report. The emphasis on Credential Access goes a step further for the endpoints in our telemetry.

Ranking as the fourth most prominent threat tactic, Credential Access is important to note based on the rise in information stealers and access broker networks. This seemingly minor increase of 3% since last year hardly captures the impact that threat actors have achieved with legitimate stolen credentials.

The emphasis here involves techniques like Unsecured Credentials, which rose 31% in Windows endpoints from last year’s analysis. Within Unsecured Credential techniques, Elastic observed that nearly 50% involved stealing credentials from browsers.

Another example of the rising popularity of Brute Force attacks can be found within Linux environments. While endpoint behaviors account for only 3.2% of the total, 89% of those behaviors involve Brute Force attacks — highlighting the importance of Linux infrastructure, which remains public-facing while maintaining organization-critical applications. 

Efforts to mitigate Defense Evasion tactics in security tools have been successful as seen with a 6% decrease in behaviors over the last year. Despite this, threat actors will continue using every available weapon to attack. 

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, ESRE, Elasticsearch Relevance Engine and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.