Here are the specific details and insights from the presentation regarding this shift, the landscape of global adversaries, and the rising danger of insider threats:
The Global Threat Actor Landscape: CrowdStrike currently tracks 257 adversaries and 140 malicious activity clusters worldwide. Rather than just looking at the tools they use, CrowdStrike categorizes these persistent individuals by their geographic origin and motivations. For example:
- Nation-State Actors: Categorized by animal names, such as “CHOLLIMA” (North Korea), “BEAR” (Russia), “PANDA” (China), and “KITTEN” (Iran).
- eCrime/Financial Actors: Categorized as “SPIDER,” reflecting highly organized, financially motivated cybercriminals.
- Hacktivists: Categorized as “JACKAL”.
The Growing Danger of Insider Threats: The presentation highlights that sophisticated operatives are increasingly bypassing the security perimeter entirely by getting hired as legitimate employees. The impact of this tactic is devastating:
- 50% of organizations experienced an insider incident in 2023.
- 71% of these incidents involved data exfiltration.
- The average annual cost of insider threats has reached $16.2 million.
Case Study: FAMOUS CHOLLIMA: To illustrate this threat, the document provides a deep dive into FAMOUS CHOLLIMA, a financially motivated, state-sponsored adversary linked to North Korea. Their operations are specifically designed to illicitly obtain remote employment at target organizations (especially in the US, technology, and financial sectors) to earn a salary that is funneled back to the North Korean Munitions Industry Department.
Their operational playbook includes:
- Fake Personas: They leverage Generative AI, stolen photos, and deepfake videos during interviews to pass background checks and secure full-time remote IT roles.
- Laptop Farms: Once hired, they request that company assets (like laptops) be sent to “laptop farms” run by facilitators to hide their true geographic location.
- “Living off the Land”: Instead of using custom malware, they install legitimate Remote Monitoring and Management (RMM) tools like RustDesk, AnyDesk, or TinyPilot.
- Execution: While performing minimal legitimate work to collect a paycheck, they execute Adversary-in-the-Middle (AiTM) attacks to steal credentials, escalate their administrative privileges, and exfiltrate sensitive data from platforms like Microsoft SharePoint.
In 2024 alone, CrowdStrike alerted over 130 customers about FAMOUS CHOLLIMA insiders, avoiding an estimated $44 million in employment fraud.
The Necessity of Counter-Adversary Operations: Because adversaries like FAMOUS CHOLLIMA use valid credentials and legitimate tools, 60% of these advanced intrusions go completely undetected by standard autonomous security solutions. To combat this, the presentation outlines CrowdStrike’s Counter-Adversary Operations, which combine threat intelligence with elite human threat hunters:
- Falcon Adversary OverWatch: A 24/7 human-led threat hunting service that searches for cross-domain anomalies (such as an employee logging in from a suspicious network) to disrupt adversaries in real-time. As of mid-2025, OverWatch had disrupted 2,652 high-criticality intrusions.
- Falcon Shield (SaaS Security): Since adversaries target cloud applications, Falcon Shield monitors SaaS environments to prevent and detect risky behaviors, such as impossible user agents, unusual privilege escalations, and excessive file downloads.
Ultimately, the presentation concludes that stopping the “enemy within” requires unified, end-to-end visibility across endpoints, identities, cloud workloads, and SaaS applications to trace actions back to the human adversary before they can execute their strike.
