Review: Elastic 2024 Global Threat Report

VersionN/A
Updated
AuthorJoshua FinleyLicenseDBE
Table of Contents
1Introduction
2The Elephant in the Room - Selection Bias in Threat Reporting

1. Introduction

Near the end of last year, Elastic released its 2024 Global Threat Report. The report highlights continuing trends in the threat landscape. Although I’m here late, this post covers some of my notes on the high points of the report as they relate to adversary techniques and my own observations within the offensive security and threat spaces. The observations in this post relate mostly to the trends in malware threats, and my own sentiments on the nuances of some of the report’s claims and observations.

Disclaimer: This post is not intended to represent undue criticism of Elastic’s excellent work.

1.1. Generative AI Adoption Among Threats

In the report, Elastic noted marginal increases in threats leveraging generative AI capabilities for malware, despite marked increases in uses for other categories of attacks.

This observation reflects my own – malware continues to leverage well known implementation methods that stand to gain less significantly from generative AI than other attacks. However, I would suggest that the full extent of generative AI use in malware authorship is likely under-represented in malware research, as indicators of generative AI are not always distinct. Insight gained from leaks [1] are likely to provide more accurate insight in adoption of generative AI tools in malware spaces.

1.2. Prevailing Threats from Known Malware Families

Notably, the report discloses prevailing threats from known malware families, including Cobalt Strike, Donut, Meterpreter, and Sliver. As it appears to me, continued pressures from research outlets such as Elastic are finally manifesting in more responsible action from Cobalt Strike’s publisher, Fortra [2].

While Elastic doesn’t make definitive claims regarding the discrepancy between observances and reality in this regard, there may be issues with any broad claims in this area (although I’m not contending that these families are likely the most highly prevalent stages trojanized threats). I’ll discuss this in-depth later on…

1.3. Surges in Process Injection… Detections

Elastic notes in the report a massive increase in process injection detections (31%). This increase is shown against better accounting of related events generated by Windows exception handlers. More significantly was an observed increase in process injection detections involving unbacked memory. While the EDR internals are not publicly available, recent changes in open source facilities exposing EDR services highlight continued development in addressing unbacked memory. These changes were likely introduced sometime around Elastic Research’s blog post from May 2023 on tackling in-memory threats through call stack-based detections.

Elastic also highlights the success of a related rule, Network Module Loaded from Suspicious Unbacked Memory which discloses Elastic’s leverage of these call-stack inspection facilities.

Once again, there may be issues with definitive statements assuming causation between these detection increases and actual adversary behavior.

1.4. Other Developments

The report discloses less dramatic trends in Linux and Mac OS, which are consistent with my own observations of defensive pressures on malware in these environments. I would suggest that the pace and industry cohesion around the anti-malware facilities within the Linux ecosystem presents distinct challenges. While EDR/XDR vendors maintain strong (and notably, confidential) relationships with Microsoft, such luxuries are largely absent for Linux ecosystems. One example of this would be the rapid pace at which threat indicators are made available through ETW TI. Additionally, programs like Microsoft Security Partners and the Microsoft Virus Initiative allow privileged information sharing between Microsoft and vendors, which is less achievable within the Linux space.

2. The Elephant in the Room - Selection Bias in Threat Reporting

While Elastic’s report does well to hold off on spurious correlation, there are clear interpretation risks based on the facts presented.

At worst, a less careful reader may take Elastic’s data as representing definitive trends in the actual behavior of adversaries in the malware space. Alternatively, a similar bias may exist that would entice some slightly more attentive readers to assume the results are directly related to increases in defense technology, which is probably much more accurate, but still glosses over details. While both these interpretations are assuredly valid to some extent, we should be carefully about making hasty assumptions about what adversaries are doing in reality.

Threat reporting – like all other hard problems – must contest with the implicit unknowns in adversary behavior. Elastic’s leading efforts reflect a global gain in traction on understanding threats, but there are still significant issues that remain.

Most prominently in the report is the huge increase in process injection detections through 2024. This data comes directly on the heels of significant advancements in Elastic’s endpoint technology [3]. The increases in process injection detection are highly likely to be attributable to these technological advancements, and not entirely a shift in adversary behavior.

To that end, I have anecdotally observed a slowdown in the pace at which developments in malware techniques match advancements in defensive technology. Although I don’t have concrete data to support it, there seems to be a drawdown in published offensive research in recent years, coinciding interestingly with the rise and advancement of EDR/XDR technology. To borrow language from other spaces, we may be finally seeing a convergence / equilibrium between threats and defenders on the horizon (at least those which have the privilege of robust defensive programs).

Coincidentally, my own efforts in the offensive security space have shifted towards tailored approaches to assessment execution. Increasingly often, obscurity surpasses cleverness in achieving compromise. But that’s just anecdote.

Bibliography

  1. Black Basta is latest ransomware group to be hit by leak of chat logs
    URL: https://therecord.media/black-basta-ransomware-group-chat-logs-leaked
  2. Update - Stopping Cybercriminals from Abusing Cobalt Strike
    URL: https://www.cobaltstrike.com/blog/update-stopping-cybercriminals-from-abusing-cobalt-strike
  3. Upping the Ante: Detecting In - Memory Threats with Kernel Call Stacks
    URL: https://www.elastic.co/security-labs/upping-the-ante-detecting-in-memory-threats-with-kernel-call-stacks