Guiding your organization with the 2024 Elastic Global Threat Report

The 2024 report showed 54% of malware was linked to offensive security tools (OSTs) — tools that are used to test and identify flaws in environments. These tools are created by defense-oriented individuals and groups — some of whom have budgets for research and development. Threat actors are drawn to these tools for the ease and efficiency they provide when executing their objectives.  

My thoughts: Cobalt Strike has been the most prevalent malware for the last few years and threat actors are sticking with it. If you’re prepared for it, you’ll be okay. 

How can I address this with my organization?
Concern: We shouldn’t be using OSTs because they’re being abused by threat actors. 

Rebuttal: Using an OST in your environment will not increase the risk of this type of attack. OSTs provide important details of the security environment and can be powerful tools for simulations like red teaming or pen testing. We can prepare for these potential threats by keeping our defenses up to date.

Our researchers found that many cloud environments are misconfigured. The report has a clear breakdown of issues per cloud service provider (CSP) and revealed some pretty harrowing misconfigurations, including storage accounts and multifactor authentication (MFA).

My thoughts: Cloud providers need to strike a balance between usability and security when considering default policies while ensuring the cloud environment provides the optimal cost and performance. Try to identify the middle ground between what your team can manage and what you should prioritize per industry benchmarking and reports. 

How can I address this with my organization?
Concern: How can we ensure that we’re using the best security practices and minimizing risk within our cloud environment?

Rebuttal: While we can encourage CSPs to provide more secure defaults, CSP benchmarking is designed to aid with the complexity of cloud security. Identify what your CIS benchmark is and outline your plan to raise it.

Within endpoints, Defense Evasion accounted for nearly 38% of all tactics. The overall distribution of alerts highlighted a growth of Process Injection techniques, which accounted for 53% of all Windows Defense Evasion alerts. 

My thoughts: The growing emphasis on Process Injection makes sense because defensive technologies improved to fight the technique that held the majority previously, so attackers are forced to shift to a different approach.

How can I address this with my organization?
Concern: We need to focus on tuning our environment for Process Injection attacks. 

Rebuttal: While it’s more prevalent, the increase in these techniques doesn’t mean that attackers won’t use other types of attacks. Security teams should be wary and continue tuning their environment for threats of all kinds.

Credential Access is the major adversary tactic used in cloud environments, accounting for 23% of all alerts and is bolstered by the rise in infostealers. 

My thoughts: Credential leakage and account manipulation are still the top techniques in cloud, which means the basics are still critical. Implementing the principle of least privilege and strong authentication is going to make a large difference. The best way to reduce the risk of credential exposure is a mix of prevention and monitoring — security teams must understand their inventory of secrets and credentials and where those are used.

How can I address this with my organization?
Concern: Credentials are mostly leaked by users. 

Rebuttal: Credentials are a critical asset and should be treated as such — security training will only do so much. Implementing least privilege and phishing-resistant MFA along with identity providers (IdPs) can lower exposure. Organizations can further bolster their environment with user and entity behavior analytics (UEBA) and authentication-focused analytics to monitor for outliers.

It’s a hot topic, but Elastic Security Labs didn’t see a massive increase in AI-propelled attacks this year — only a slight increase in attack volume. 

My thoughts: My team has benefited from Elastic’s innovative generative AI (GenAI) capabilities. We frequently utilize the machine learning-based detection rules and Attack Discovery — both of which have increased our ability to automate security workflows while providing peace of mind to me and my team. 

How can I address this with my organization?
Concern: GenAI benefits attackers. 

Rebuttal: GenAI has had a widely observed positive impact on defenders by addressing threats with advanced analytics and providing quick and reliable AI guidance.

As security professionals, we have to stay up to date on the threat landscape. Reading through the 2024 Elastic Global Threat Report will provide a lot of important information to you and your InfoSec teams. 

Reading this report not only sheds light on emerging trends, but it also equips us with the knowledge required to make informed decisions about our security strategies. Join our researchers for a deeper discussion of these insights in the upcoming webinar, Revealing the threat landscape.