{
	"id": "d7194124-663a-4fdb-ad7c-a0f02346431e",
	"created_at": "2026-04-06T00:14:49.305998Z",
	"updated_at": "2026-04-12T02:21:53.740974Z",
	"deleted_at": null,
	"sha1_hash": "8432334c83ef7b317a811bcff6b0f70015acf73b",
	"title": "2021 Global Attitude Survey Takeaways | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 210777,
	"plain_text": "2021 Global Attitude Survey Takeaways | CrowdStrike\r\nBy Falcon OverWatch and Falcon Complete teams\r\nArchived: 2026-04-02 10:38:54 UTC\r\nThe results from the 2021 Global Security Attitude Survey paint a bleak picture of how organizations globally are\r\nfeeling about the cybersecurity landscape before them. Organizations are grappling with shortages of\r\ncybersecurity skills and a lack of capability to detect and contain intrusions in a timely way. This comes against a\r\nbackdrop of persistent ransomware attacks, the increasing regularity of supply chain vulnerabilities and a large\r\nattack surface due to sustained high levels of remote work.\r\nAlthough these are legitimate concerns, the battle is not lost. Effective managed cybersecurity services that\r\ninclude continuous threat hunting and rapid response can provide organizations with an immediate injection of\r\nworld-class capability to detect, disrupt and contain serious hands-on-security threats at speed and at scale.\r\n“Trusted” Entry Points Are No Match for Human Hunters\r\nMany survey respondents (84%) predict that supply chain attacks could become one of the biggest cyber threats\r\nfacing their organization. This boils down to a fear of an adversary gaining access through a trusted channel and\r\ngoing undetected. Sophisticated attacks of this nature require a mix of automation and human expertise in the\r\nform of human-based threat hunting. One of the strengths of threat hunting is that the ability to quickly and\r\ndecisively detect a threat is not contingent on the initial access vector. Whether initial access is achieved via a\r\nsupply chain attack, a vulnerable public-facing application or another trusted entry point, CrowdStrike Falcon®\r\nOverWatch™ remains vigilant in hunting for post-exploitation behavior that signals an interactive threat on an\r\nendpoint.\r\nhttps://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/\r\nPage 1 of 4\n\nOverWatch recently uncovered interactive intrusion activity that followed the unintended download of a suspected\r\nbackdoored Zsh installation file. Zsh is a legitimate Unix shell and was likely downloaded by the victim\r\norganization from a legitimate GitHub repository. Upon download and installation of Zsh, a binary for the remote\r\naccess utility NetSupport was executed. Concurrently, the malicious installer also attempted to download\r\nadditional binaries and batch files from an external domain. OverWatch tracked the adversary as they leveraged\r\nNetSupport to execute PowerShell commands to download a malicious DLL and batch file from an adversary\r\ncommand-and-control (C2) server and execute basic network reconnaissance commands. Later investigation\r\nfound that the malicious DLL was modified to include VBScript that, if loaded, would have attempted to disable\r\nand add a number of folder exclusions to a third-party security tool.\r\nThis attempted intrusion highlights how adversaries abuse user trust in legitimate download locations and exploit\r\npublic edit settings on numerous GitHub repositories. Fortunately for this victim organization, OverWatch’s\r\ncontinuous hunting quickly spotted the anomalous activity based on threat hunting leads and known indicators of\r\ncompromise (IOCs). Based on this rapid detection, OverWatch provided the necessary context to the victim\r\norganization enabling them to take swift remedial action. Managed threat hunting delivers the human element that\r\nis crucial in detecting and disrupting adversary activity designed to exploit trusted components in a victim\r\nenvironment. Unlike solutions based exclusively on automated technology, human hunters approach their analysis\r\nwith informed skepticism. OverWatch looks for behaviors that are indicative of a malicious presence in an\r\nenvironment. While the application or user activity involved with initial access might fall within parameters that\r\ntechnology considers normal, hunting looks at the broader context to detect even the faintest traces of malicious\r\nfollow-on activity.\r\nOverWatch and Falcon Complete Combine Forces to Stop Ransomware in Its\r\nTracks\r\nThe 2021 survey also revealed that the persistent threat of ransomware attacks remains organizations’ most\r\npressing cybersecurity concern, a concern that is firmly based in their lived experience. Two-thirds of the\r\norganizations surveyed had fallen victim to at least one ransomware attack in the preceding 12 months. This\r\nhighlights how critical it is for organizations to have comprehensive security solutions in place that ensure that\r\nransomware attempts are met with swift and decisive action.\r\nOverWatch and CrowdStrike Falcon® Complete™ recently disrupted a ransomware attempt against a victim\r\norganization’s domain controller. An affiliate of the LockBit ransomware as a service (RaaS), run by BITWISE\r\nSPIDER, targeted the domain controller by exploiting the Zerologon vulnerability. The adversary connected to the\r\ndomain controller remotely from a host on the network that did not have Falcon coverage. Thanks to the Falcon\r\nplatform’s rich telemetry on covered workloads and OverWatch’s proactive threat hunting, the attack was\r\nimmediately detected. Within minutes, OverWatch identified the adversary’s presence and began investigating.\r\nHaving leveraged the exploit to obtain domain admin privileges, the adversary undertook initial discovery actions\r\nand created a new domain account to facilitate persistence and lateral movement. In under 20 minutes, the\r\nadversary used their new domain account to move laterally, via RDP, to another domain controller on the network,\r\nwhere they changed the “administrator” account’s password. By this time, OverWatch hunters were already in\r\ndirect communication and coordination with Falcon Complete responders to begin stopping the attack. Less than\r\nhttps://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/\r\nPage 2 of 4\n\n10 minutes after the breakout, the adversary deployed and attempted to execute a novel binary. Further analysis\r\nperformed by the CrowdStrike Intelligence team found the binary to be a variant of LockBit 2.0. Thanks to the\r\nFalcon platform’s prevention capabilities, the attempted LockBit execution was prevented, ensuring that this\r\nCrowdStrike customer did not become another one of BITWISE SPIDER’s many victims.\r\nA Bit About LockBit\r\nLockBit is developed by an adversary that CrowdStrike Intelligence tracks as BITWISE SPIDER, who\r\nprovides their ransomware to affiliates in a RaaS model. BITWISE SPIDER has recently and quickly become\r\na significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received\r\nthe highest number of victims posted each month since July 2021 compared to other adversary DLSs due to\r\nthe growing popularity and effectiveness of LockBit 2.0.\r\nThe Falcon platform is finely tuned to identify known malicious behaviors associated with ransomware. Despite\r\nthe novel nature of the binary used in this attempted intrusion, the Falcon platform anticipated and immediately\r\nprevented the unknown threat from executing using a combination of artificial intelligence, behavioral detection\r\nand machine learning algorithms.\r\nMeanwhile, OverWatch tracked the adversary at every turn, providing context-rich information about the\r\nadversary’s movements to Falcon Complete, whose responders notified the customer and rapidly performed their\r\nresponse. Falcon Complete began by rapidly network containing the affected hosts, completely cutting off the\r\nadversary’s remote access. They also disabled the domain account created by the adversary and deployed a custom\r\nIOC hash block across the entire environment for the observed LockBit variant. To further assist the customer,\r\nFalcon Complete analysts delivered specific recommendations for further hardening of the network, including\r\nguidance, removing the adversary-created account, resetting the affected “administrator” account and fully\r\npatching the compromised domain controller.\r\nThanks to the unrivaled security combination of the Falcon platform and the OverWatch, CrowdStrike Intelligence\r\nand Falcon Complete teams, the adversary was thwarted. This coordinated response effectively stopped the\r\nintrusion before the customer suffered any significant impact — protecting them against a serious eCrime threat\r\nthat is growing all too prevalent. The findings from last year’s survey prove that it is a matter of when, not if, an\r\norganization will fall victim to an attempted ransomware attack. Yet, respondents’ self-reported estimated time to\r\ndetect an intrusion has increased to an average of 146 hours, or over 6 days. Having expert managed services on\r\nyour side makes the difference when minutes matter. The combination of OverWatch’s unrivaled ability to\r\nuncover adversary activity and Falcon Complete’s expert and timely response is proven to disrupt ransomware\r\nattempts before the adversary can do damage.\r\nManaged Services Plug the Skills Gap\r\nAmid these persistent threats, organizations report difficulty in finding staff with the skills needed to establish and\r\nmaintain a comprehensive security posture. Managed services can deliver an immediate injection of security\r\ncapability that can begin to pay dividends from Day One. In fact, OverWatch regularly uncovers pre-existing\r\nintrusions during roll-out to new customer environments. CrowdStrike’s managed services provide benefits that\r\ncannot easily be replicated with an in-house solution. Because CrowdStrike analysts have access to cloud-scale\r\nhttps://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/\r\nPage 3 of 4\n\ntelemetry encompassing trillions of events per day, they have unparalleled visibility across the entire customer\r\ninstall base. This allows hunters to rapidly identify anomalous activity, which ensures every customer benefits\r\nfrom near-real time insights into active threats. Both OverWatch and Falcon Complete are powered by\r\nCrowdStrike’s global threat intelligence, bringing critical context to the detection and response process. Crucially,\r\nall of this is delivered with 24/7/365 coverage, providing comprehensive security when it is most needed:\r\nALWAYS. Finally, a partnership with CrowdStrike’s managed services equips organizations with round-the-clock\r\naccess to elite resources. OverWatch’s expert hunters deliver context-rich alerts that empower organizations to\r\nrapidly contain threats and remediate their environments with confidence. For organizations leveraging the power\r\nof Falcon Complete, expert responders will work in lock-step with OverWatch threat hunters to rapidly and\r\nsurgically remediate malicious activity on an organization’s behalf. Managed services can be your fast track to a\r\ncomprehensive, mature endpoint security program that equips you to face the most pressing global security\r\nchallenges into 2022 and beyond.\r\nAdditional Resources\r\nDownload the 2021 CrowdStrike Global Security Attitude Survey.\r\nLearn more about Falcon OverWatch’s proactive managed threat hunting.\r\nCheck out the Falcon Complete product webpage.\r\nWatch this video to see how Falcon OverWatch proactively hunts for threats in your environment.\r\nRead a white paper: CrowdStrike Falcon® Complete: Instant Cybersecurity Maturity for Organizations of\r\nAll Sizes.\r\nLearn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your\r\norganization, workers and data, wherever they are located.\r\nSource: https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/\r\nhttps://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/"
	],
	"report_names": [
		"better-together-global-attitude-survey-takeaways-2021"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-12T02:00:04.70216Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3940f08b-39aa-492c-8699-86bfe515fa70",
			"created_at": "2023-01-06T13:46:39.470535Z",
			"updated_at": "2026-04-12T02:00:03.405077Z",
			"deleted_at": null,
			"main_name": "BITWISE SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:BITWISE SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434489,
	"ts_updated_at": 1775960513,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8432334c83ef7b317a811bcff6b0f70015acf73b.pdf",
		"text": "https://archive.orkl.eu/8432334c83ef7b317a811bcff6b0f70015acf73b.txt",
		"img": "https://archive.orkl.eu/8432334c83ef7b317a811bcff6b0f70015acf73b.jpg"
	}
}