Can You Stop a Breach in 19 Minutes?
Spotting an initial breach of a network is already difficult. New research begs an additional question: can you stop attackers from gaining control of your critical systems and applications in a matter of minutes? According to Crowdstrike, if you can’t detect and respond to a breach in under 19 minutes, you may be vulnerable to Russian hackers. In their annual threat report, Crowdstrike found that Russian hackers had a “breakout time” – the time a hacker takes from gaining initial foothold in the network to when they start moving laterally to critical machines – of just 18 minutes and 49 seconds, which is the fastest in the world. North Korea, China, and Iran placed second, third, and fourth, respectively (English-speaking countries were not studied, but we imagine the US and UK would be among the top of the list).
Russian Hackers Can Breach An Organization in Minutes
We have laid out the anatomy of a attack in a previous blog here. An attacker will typically start with reconnaissance, where they look for weak spots to infiltrate a network. Once the attacker has conducted an initial intrusion, they will move laterally and escalate privileges to expand their access to more critical systems and applications. This is the aforementioned “breakout time” whereby a Russian hacker can move from initial intrusion to lateral movement in less than 19 minutes. Once the attacker has access to your critical assets, they will usually establish persistence on the network and begin exfiltrating data.
Organizations Take 9 Months to Respond to a Breach
The last thing Preempt wants is be another security vendor that spreads FUD (“Fear, Uncertainty, Doubt”), but Crowdstrike’s research requires a shift in mentality. Organizations that rely exclusively on their SOC teams to do all of the threat detection and prevention may need to explore a different approach. According to a study done by the Ponemon Institute and published by IBM, it takes organizations an average of 197 days to identify a breach. On top the 197 days to initially identify the breach, it takes an additional 69 days to contain the breach. That means an organization takes on average 9 months to detect and respond to a security breach. Given that a Russian hacker could have accessed critical network resources within 19 minutes, the current structure by which many organizations respond to security incidents is no longer adequate.
Automation is The Key to Protecting Against Attackers
Organizations have a very small time window before becoming a victim of a data breach and thus need to respond faster in detecting and preventing malicious activity within their network. Can your threat detection tool stop an attack automatically or does your SOC team need to go in and investigate? Automation of detection and prevention capabilities without manual analysis by a security team is the key to protecting against today’s attackers. Here are some detection and prevention capabilities that organizations should consider:
- Privileged Accounts: Privileged account credentials allow attackers to have access to almost all resources, and it’s important to get visibility to all privileged accounts. This applies whether it is a legitimate administrator or unauthorized stealthy (or shadow) administrator.
- Tools and Techniques: When an attacker enters a network, they will often use reconnaissance tools such as Bloodhound or techniques like Kerberoasting to find a path to gain control over privileged accounts. It’s critical to detect these types of threats accurately and in real-time.
- Lateral Movement: Once an attacker has initially breached your network, they will move around to identify critical systems and applications and attempt to gain access. Detecting lateral movement in your network is critical to stopping an attacker in their tracks and containing the breach.
- Misuse of Tools: Because Reconnaissance and IT tools are used legitimately in the network, attackers often leverage the same tools to move around undetected. Organizations need to detect the use of tools such as PsExec and immediately challenge the user with MFA to verify the user and ensure that the use is legitimate.
- Privilege Escalation: Attackers exploit weak and vulnerable spots in systems and applications to gain elevated access. In order to automatically block an attacker from gaining unauthorized access levels, you need to identify vulnerabilities in the network, stealthy (or shadow) administrators, and prevent the misuse of privileged credentials.
- Risky User Behavior: A normal business user on the network will have patterns in their access attempts that help develop a certain user profile. When normal behavior is baselined, organizations can spot risky behavior ( e.g. coming from a new endpoint with a Russian IP address and accessing a critical server), which should be challenged or blocked depending on the level of risk.
Organizations that implement automated detection and prevention capabilities have a better chance of stopping a data breach. Not only do these automated solutions take the burden off of the SOC team, but they are increasingly necessary to address modern threats in a timely manner – especially when ‘timely’ can mean 19 minutes or less. To learn more, please contact firstname.lastname@example.org.
Product Marketing Manger Monnia Deng authored this post.
Posted by The Preempt Security Team on February 27, 2019 10:03 AM