The 2024 Elastic Global Threat Report: Forecasts and recommendations

158175_-_Blog_header_image_Prancheta_1-05_(1).jpg

Yesterday, Elastic Security Labs released the 2024 Elastic Global Threat Report, a comprehensive look at more than 1 billion data points from Elastic’s unique telemetry. The report provides insights into the methods, techniques, and trends of threat actors from the perspective of defenders — giving crucial insights for security teams to prioritize and improve their security posture. 

The observations in this report are based on anonymized and sanitized telemetry from Elastic as well as public and third-party data that has been voluntarily submitted. The telemetry has been extensively reviewed by our experts in Elastic Security Labs and distilled into actionable insights for our customers, partners, and the security community at large.

Forecast and recommendation highlights

This year, Elastic Security Labs observed the evolution of threat actors — including an increase in credential access attacks and continued manipulation of offensive security tools. Here are some of the key forecasts and recommendations from the report.  

Access brokers and the infostealer ecosystem will increase the impact of exposed credentials

During several high-profile incidents this year, researchers observed that adversaries used stolen credentials sourced from the victim’s environment. In the majority of those cases, the environment also contained evidence of prior infostealers or backdoor artifacts. It can be very difficult to determine which credentials have been compromised after time has passed.

Recommendation: Rotate exposed account credentials, and invest in response workflows to reset accounts. User and entity behavior analytics (UEBA) is one class of technologies that can help identify compromised accounts, and monitoring the accounts used in Brute Force attacks (significantly common in cloud-based environments) can help in cases where evidence has relocated or been deleted.

Telemetry found that security teams are too permissive of cloud service provider (CSP) resources, which increases the risk of future data exposure

We observed that cloud security posture settings were consistently misconfigured across all hyperscalers. In one form or another, users misconfigured the same capabilities of all CSPs:

  • Permissive access policies allowed logins from anywhere

  • Permissive storage policies allowed file operations from accounts of all kinds

  • Relaxed data handling policies or weak encryption

Enterprises balancing usability and the overhead of securing critical resources may struggle to prioritize an aggressive posture or prioritize it consistently. In many cases, audits and guidance are well understood and widely available at no cost.

Recommendation: Security teams should consider using the Center for Internet Security (CIS) benchmark process to identify which settings in their environment need more attention. Once the CIS posture scores reach 100, make sure the InfoSec team is well-versed in the most common cloud-based intrusion techniques. Monitoring from this baselined state should help improve the speed of threat detection while hardening the environment against future threats.

Adversaries will triple-down on Defense Evasion, especially techniques that hinder sensor visibility

The most common Defense Evasion signals were seen on Windows systems and generally involved a trio of techniques: Process Injection, System Binary Proxy Execution, and Impair Defenses. Collectively, these three techniques can be used to gain an initial foothold with sufficient privileges to tamper or blind instrumentation before data can be sent to a data repository.

Recommendation: No one solution exists for this complex methodology, but security teams should monitor for changes in endpoint visibility, built-in binary proxies, and for indicators of Process Injection. However, monitoring efficiently cannot be achieved without interactive endpoint agents deployed prior to the discovery of threat activity, which will not be effective if they’re misconfigured. Researchers frequently observed enterprises where administrators failed to enable licensed mitigations, resulting in undesirable outcomes.

Stay ahead of attackers with the 2024 Elastic Global Threat Report

These forecasts provide just a brief snapshot of the threats, attackers, and defenses that we expect to be in play in the coming year. To see the other forecasts and a detailed overview of the security landscape, you can access the full 2024 Elastic Global Threat Report.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.