Guiding your organization with the 2024 Elastic Global Threat Report
Mitigating risk based on the threat landscape is a complicated yet essential part of being a cISO, which is why threat reports like the 2024 Elastic Global Threat Report are a huge help for me. In addition to providing an in-depth understanding of what’s happening, threat reports also offer a quick overview of what needs to be explained or communicated to the rest of the organization.
As Elastic’s cISO, I have a lot of experience in translating threats for security stakeholders, other c-suite members, and even the board of directors. Using the findings from Elastic Security Labs, this blog will distill some of the major insights from the new report and discuss some concerns that might emerge in your organization from this new data.
Key insights from the 2024 Elastic Global Threat Report
Offensive security tools
The 2024 report showed 54% of malware was linked to offensive security tools (OSTs) — tools that are used to test and identify flaws in environments. These tools are created by defense-oriented individuals and groups — some of whom have budgets for research and development. Threat actors are drawn to these tools for the ease and efficiency they provide when executing their objectives.
My thoughts: cobalt Strike has been the most prevalent malware for the last few years and threat actors are sticking with it. If you’re prepared for it, you’ll be okay.
How can I address this with my organization?
concern: We shouldn’t be using OSTs because they’re being abused by threat actors.
Rebuttal: Using an OST in your environment will not increase the risk of this type of attack. OSTs provide important details of the security environment and can be powerful tools for simulations like red teaming or pen testing. We can prepare for these potential threats by keeping our defenses up to date.
cloud security misconfigurations
Our researchers found that many cloud environments are misconfigured. The report has a clear breakdown of issues per cloud service provider (cSP) and revealed some pretty harrowing misconfigurations, including storage accounts and multifactor authentication (MFA).
My thoughts: cloud providers need to strike a balance between usability and security when considering default policies while ensuring the cloud environment provides the optimal cost and performance. Try to identify the middle ground between what your team can manage and what you should prioritize per industry benchmarking and reports.
How can I address this with my organization?
concern: How can we ensure that we’re using the best security practices and minimizing risk within our cloud environment?
Rebuttal: While we can encourage cSPs to provide more secure defaults, cSP benchmarking is designed to aid with the complexity of cloud security. Identify what your cIS benchmark is and outline your plan to raise it.
Defense Evasion
Within endpoints, Defense Evasion accounted for nearly 38% of all tactics. The overall distribution of alerts highlighted a growth of Process Injection techniques, which accounted for 53% of all Windows Defense Evasion alerts.
My thoughts: The growing emphasis on Process Injection makes sense because defensive technologies improved to fight the technique that held the majority previously, so attackers are forced to shift to a different approach.
How can I address this with my organization?
concern: We need to focus on tuning our environment for Process Injection attacks.
Rebuttal: While it’s more prevalent, the increase in these techniques doesn’t mean that attackers won’t use other types of attacks. Security teams should be wary and continue tuning their environment for threats of all kinds.
credential leakage
credential Access is the major adversary tactic used in cloud environments, accounting for 23% of all alerts and is bolstered by the rise in infostealers.
My thoughts: credential leakage and account manipulation are still the top techniques in cloud, which means the basics are still critical. Implementing the principle of least privilege and strong authentication is going to make a large difference. The best way to reduce the risk of credential exposure is a mix of prevention and monitoring — security teams must understand their inventory of secrets and credentials and where those are used.
How can I address this with my organization?
concern: credentials are mostly leaked by users.
Rebuttal: credentials are a critical asset and should be treated as such — security training will only do so much. Implementing least privilege and phishing-resistant MFA along with identity providers (IdPs) can lower exposure. Organizations can further bolster their environment with user and entity behavior analytics (UEBA) and authentication-focused analytics to monitor for outliers.
Generative AI
It’s a hot topic, but Elastic Security Labs didn’t see a massive increase in AI-propelled attacks this year — only a slight increase in attack volume.
My thoughts: My team has benefited from Elastic’s innovative generative AI (GenAI) capabilities. We frequently utilize the machine learning-based detection rules and Attack Discovery — both of which have increased our ability to automate security workflows while providing peace of mind to me and my team.
How can I address this with my organization?
concern: GenAI benefits attackers.
Rebuttal: GenAI has had a widely observed positive impact on defenders by addressing threats with advanced analytics and providing quick and reliable AI guidance.
Stay ahead of the threats
As security professionals, we have to stay up to date on the threat landscape. Reading through the 2024 Elastic Global Threat Report will provide a lot of important information to you and your InfoSec teams.
Reading this report not only sheds light on emerging trends, but it also equips us with the knowledge required to make informed decisions about our security strategies. Join our researchers for a deeper discussion of these insights in the upcoming webinar, Revealing the threat landscape.
The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.
In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use.
Elastic, Elasticsearch, ESRE, Elasticsearch Relevance Engine and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.