Cloud endpoint protection provider CrowdStrike has released research revealing a threat spends an average of 86 days in a corporate network before it is detected, despite needing under two hours to move laterally to other systems on the network.

CrowdStrike’s Global Threat Report contains research from 176 countries and lists more than 90 billion threat events per day.

The report shows that in 2017, 39% of all attacks constituted malware-free intrusions which went undetected by traditional anti-virus, highlighting the necessity for stronger, smarter security tools than the signature-based methods of the past. Manufacturing, professional services and pharmaceutical industries faced the greatest number of malware-free attacks.

“Malware-free” is a technique to compromise the target without using malware, giving a higher chance of going undetected. Spear-phishing attacks aim to steal credentials, which are then used to log in and authenticate.

The evolution of the threat landscape beyond conventional security methods is further pronounced following the release of state-sponsored hacking tools, blurring the lines between statecraft and tradecraft, making advanced exploits available to all. Both WannaCry and NotPetya originated from stolen and leaked NSA code.

CrowdStrike’s Threat Graph data indicates an intruder can move to other systems within the network, once access has been gained, in an average of one hour and 58 minutes.

“They move typically through stolen credentials,” says Michael Sentonas, vice-president of Technology Strategy for CrwodStrike. “They get into the network far enough to steal credentials, or the credential they are using allows them to start escalating privilege. If I log into a network as you, it becomes hard for someone to detect if it is me or you."

A malicious person can establish persistence, build backdoors and take other actions, safe from detection by traditional anti-virus tools.

“Every week we’re finding existing threats, even during proof-of-concept with new prospective customers,” Sentonas says. “They try the technology in the network to give it a go and see how it interacts with their systems and to get a feel for a real-world deployment. In many cases, the proof-of-concept evaluation flags something is going on. The company has been compromised. Maybe it’s an active intrusion, and maybe something is left over still communicating outside.”

The research further reveals extortion and weaponisation of data have become mainstream among cyber criminals, that nation-state-linked attacks and targeted ransomware are on the rise and could be used for geopolitical and militaristic exploration, and that supply chain compromises and crypto-fraud and mining present new attack vectors for state-sponsored and criminal actors.

“In 2018 we will see much of the same,” Sentonas says. “We will see continued successful ransomware attacks because organisations are not patching and are not as secure as they think they are. We're statistically due for another ransomware attack, and attacking the supply chain is likely the way it will happen.”

“The security industry does a good job of bubbling up important headlines but we sometimes lose relevancy. A lot of the security vendors say ransomware went up by 20% and this type of malware went up by this percent but at the end of the day who cares?” Sentonas says. “It's not relevant to the average person. When we talk about threat intelligence and learning and talk about what's happening there are a lot of techniques that prove the attackers are successful. So what do we learn?”

“For me, it’s about constantly challenging the architectures we use and rethinking how we can get better and improve our security posture. Some of the things attackers are doing are so successful we have to pause and rethink."