CrowdStrike report says breakout time for threat actors is increasing
CrowdStrike's annual global threat report highlights why speed is critical for cybersecurity defenders. Experts sound off on key findings, including the rise of 'big game hunting.'
Hackers are generally taking longer to achieve lateral movement in victims' environments, according to new research from CrowdStrike, but threat actors from one region are still operating at dangerously fast speeds.
CrowdStrike's 2019 Global Threat Report titled "Adversary Tradecraft and the Importance of Speed" analyzed a metric it calls "breakout time." First introduced in CrowdStrike's 2018 Global Threat Report, breakout time is the window of time from when an adversary first compromises an endpoint machine, to when they begin moving laterally across the network. Based on telemetry data gathered by CrowdStrike in 2018, the overall average breakout time in 2018 across all intrusions, threat actors and regions was 4 hours and 37 minutes, which the vendor said was "a substantial increase from 1 hour and 58 minutes in 2017."
"The increase in breakout time is a good thing and there are a variety of factors that may have contributed to that increase, including the rise in intrusions from slower moving adversaries," said Jennifer Ayers, vice president of OverWatch and security response at CrowdStrike. "In some cases some adversaries may have different groups that perform different functions, so there could be delays in between there."
Organizations are also deploying effective endpoint security technologies for detecting intrusions, Ayers added.
CrowdStrike said breakout time is an important metric because it helps evaluate the operational capabilities of threat actors and also represents how long organizations have before an intrusion becomes something worse. This small window of time is crucial for an organization to detect and respond to the intruder, and the reason why speed becomes an important factor in stopping a breach, according to Ayers.
"As a defender you have to be faster than your attackers, you need visibility, you need capable tools and you need to have effective procedures in place that will allow you to block or remediate the threats as soon as they're identified," Ayers said.
CrowdStrike's report also ranked threat actors' breakout time based on their region. While the overall breakout time increased in 2018, Russia-based threat actors boasted an average breakout time of just 18 minutes and 49 seconds. The next closest region was North Korea with an average breakout time of 2 hours, 20 minutes and 14 seconds, according to the report.
Jennifer Ayersvice president of OverWatch and security response, CrowdStrike
Intrusion groups from China have an average breakout time of 4 hours and 26 seconds, while Iranian hackers took more than five hours and cybercrime actors took nearly 10 hours on average to spread across a victim network.
Ayers advised companies to pursue the "1-10-60" rule to combat sophisticated cyberthreats.
"The '1-10-60' in terms of being able to detect in one minute, investigate in 10 minutes and remediate or at least do the best you can within 60 minutes," she said. "Overall, we are still pushing extremely hard for the industry -- and for our customers as well -- to continue to work on better identification, better visibility and faster response techniques."
Cybersecurity defenders should watch out for early warning signs that an attack may be underway and use contextual and behavioral analysis -- delivered in real time via machine learning and artificial intelligence -- to effectively detect and prevent attacks, according to the report.
Malware-free attacks
While the use of malware still continues to be a dominant method for initial infiltration, industries like media, technology, academic, healthcare and energy sectors witnessed a dramatic increase in Malware-free attacks in 2018, the CrowdStrike report found.
"We're seeing a significant increase in the use of scripting techniques in malware-free attacks, using PowerShell, running commands, using Java script and using a lot of native scripting tools that exist in the Windows operating system to be able to go and download their second or third stage payload, execute that payload and so on and so forth," Ayers said.
Attackers continue to shift to defense evasion methods like living off the land techniques, which uses legitimate tools already present on the target system to accomplish adversary objectives, she said.
According to Marty Puranik, CEO of cloud service provider Atlantic.Net in Orlando, malware-free attacks are becoming more popular because modern security tools are becoming effective at detecting files that are suspect and allowing potential victims to remediate the threat, thereby reducing efficacy of malware using files written to disk.
"By not using files that can be detected (such as keeping process in-memory only), malware free is the progressive next step that attackers will take to breach machines and enter networks," Puranik said in an email interview. "In terms of compromised credentials, an AI solution or algorithmic solution may be helpful by watching credentials used in usual ways (such as originating IP + time zone + type of machine/mobile device being used). If it is out of character it may be able to lock down the machine in question or limit how far an attacker can traverse a network."
Gartner analyst Avivah Litan believes companies need a layered security approach that goes beyond just looking at anomalous and suspicious events on the endpoints and in the network.
"They also need to analyze activity at the user, and user account level, as well as correlate anomalous activities across multiple anchor/entity types, e.g., endpoint, network, data, file, user, user account level and more," Litan said in an email interview. "They also need to put in controls and detection that specifically looks for malware-free attacks executing in memory."
Just like traditional malware attacks, most malware-free attacks establish the initial foothold by tricking unsuspecting users into performing certain actions, said Aman Khanna, vice president of products at ThumbSignIn, a biometric security vendor based in Mountain View, Calif.
"This makes continuously educating users to be aware and watchful of social engineering one of the top means of defense," Khanna said in an email interview.
Finally, companies should enforce strict policies around security hygiene, including keeping operating systems and browsers updated, applying the latest security, removing unnecessary software, turning off automatic execution of macros and plugins, Khanna added.
The rise of 'big game hunting'
The most prominent trend in cybercrime for 2018 was the continued rise of "big game hunting," the CrowdStrike global threat report found. "Big game hunting" is the practice of combining targeted intrusion tactics for the deployment of ransomware across large organizations, CrowdStrike's Ayer explained.
These sophisticated campaigns often include well-tested reconnaissance, delivery and lateral-movement TTPs, according to the report. Cybercriminals like BOSS SPIDER (Samas, SamSam), INDRIK SPIDER (Dridex) and GRIM SPIDER (Ryuk) all raked in huge profits in these campaigns, the report found.
"Cybercriminals have determined that the $2000 to $50,000 payouts they went after yesteryear is small potatoes," said Bryce Austin, CEO of TCE Strategy. "More targeted strikes have well surpassed the $100,000 barrier, and companies sometimes have no choice but to pay."
To defend against such attacks, Austin suggested companies pull servers completely offline before trying to restore servers from backup.
"This must be done while disconnected from the internet and from their internal network," he said.
He also suggested companies have at least 30% free disk space on all of their computers and servers.
"Ransomware often runs disks out of space and all data encrypted after that occurs is lost forever, not even the cybercriminals can get it back," Austin said.
Gartner's Litan advised companies hire threat intelligence and cyberthreat hunters who know how to look for and find the bad guys planning or executing attacks against their organizations.
"In short, they need to pre-empt the attacks by looking outside their organizational boundaries for evidence of attack preparations or executions that will harm their enterprise," Litan said.