The good news: Three-quarters of enterprises this year discovered on their own they had been hacked rather than learning from a third party. The bad news: It took them an average of 85 days to spot an attack.
That means hackers still have the upper hand. What's more, they only need less than two hours, on average, to move from the initially attacked machine to further inside a target's network, according to CrowdStrike, which today published its "Cyber Intrusion Services Casebook, 2018," a report on a sampling of its real-world incident response (IR) investigations for clients.
"We noticed attackers this year were pretty brazen and stealthy: Eighty-six days [before getting discovered] is still a problem," even when victim organizations are getting better at self-detection, says Tom Etheridge, vice president of services for CrowdStrike. The number of hacked organizations that spotted their own attacks rose 7% this year over those from CrowdStrike Services' IR engagements in 2017.
"It doesn't mean [organizations] are preventing breaches, but they have better tools and visibility for detecting breaches,” he says. "Dwell time is still a problem. So even though self-detection is getting better ... an attacker in the organization for 85 days is not ideal."
CrowdStrike recommends what it calls the 1-10-60 rule: Detect an attack on your organization within one minute, take 10 minutes to investigate it, and then remediate it within 60 minutes. "Organizations that can operate at this level will dramatically improve their chances of staying ahead of the adversary and stopping a potential breach from occurring," the company wrote in its case report.
One-third of all the IR cases CrowdStrike investigated had employed social engineering and phishing - an increase of 11% over last year's cases. The main methods of social engineering were business email compromise (BEC) attacks and nation-states employing spear-phishing to gain a foothold in their targets' networks, according to the data. Plain, old commodity malware such as TrickBot was also a big tool used in many of the attacks to get an initial foothold into the networks - either to infiltrate further or to sell access to other cybercriminals or nation-state hackers for ransomware attacks, intellectual property theft, extortion, fraud, or cryptomining attacks.
"Commodity malware was really a precursor of another type of threat actor or to stay active [in the target's network]," Etheridge says. "They use [the malware] at a later date for other campaigns that monetize that access, or they sell that access to another threat actor toward its campaign to monetize IP or information."
The stealthiest attacks on organizations were ones that culled legitimate credentials from their targets and skillfully used them. CrowdStrike saw plenty of cases of attackers also employing legitimate tools in the victim's network, such as PowerShell and Windows Management Instrumentation, as another way to camouflage their activity.
"They remain dormant and take advantage of it for an extended period of time," Etheridge explains. "And they are understanding the tools the [target] has and knows them even better than they do."
Take the case of one of CrowdStrike's large retailer clients that was hacked by the infamous and sophisticated Carbanak, aka Carbon Spider, cybercrime organization. Carbanak had hidden inside the retailer's massive global network infrastructure for several years, waging a massive gift card fraud operation.
When the retailer finally noticed it had been breached, it called in CrowdStrike, which first spotted an administrative user's Office 365 mail account being used for credential harvesting. The attackers had abused the user's cached Active Directory Federated Services credentials and ran Mimikatz to steal other privileged accounts, including those of the retailer's ServiceNow account. Among other systems, Carbanak had access to the retailer's IT team systems to monitor and track changes to the network. It even had access to TeamViewer and ScreenConnect to spy on incident response and interact with targeted machine.
"This adversary employed a 'living off the land' methodology to remotely access systems, using system native and the same tools that the client's IT support teams used legitimately," CrowdStrike wrote in its report.
The Carbanak attackers even searched the retailer's ServiceNow IT ticketing system for information on gift cards.
"The customer had believed it had quelled the attack and extracted the attacker," Etheridge says. "But the attacker remained persistent in the customer's environment to monitor ServiceNow and to actually look at email traffic from the fraud department - all using legitimate credentials."
Remediate, Then Investigate
Some organizations, under pressure to get back up and running quickly after an attack, are choosing to remediate their systems after an attack before bringing in CrowdStrike to investigate it, Etheridge says. Those that take that approach typically aren't facing any monetary losses from the attack.
"They're looking to remediate before they investigate," he says. "There's a little bit of a balancing act for engaging the right solution for that account."
The risk with that approach is that an attacker could still remain hidden in the network. The best bet is for organization to plan for an attacker that just won't go away: "You need to make sure you maintain visibility and control" to monitor that, Etheridge says, as well as deploy two-factor authentication to better protect credentials, and lock down infrastructure controls, such as firewall settings. Proactive threat hunting can also give organizations a leg up on a persistent attacker, he notes.