Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:50 AM
Connect Directly

CrowdStrike: More Organizations Now Self-Detect Their Own Cyberattacks

But it still takes an average of 85 days to spot one, the security firm's incident response investigations found.

The good news: Three-quarters of enterprises this year discovered on their own they had been hacked rather than learning from a third party. The bad news: It took them an average of 85 days to spot an attack.

That means hackers still have the upper hand. What's more, they only need less than two hours, on average, to move from the initially attacked machine to further inside a target's network, according to CrowdStrike, which today published its "Cyber Intrusion Services Casebook, 2018," a report on a sampling of its real-world incident response (IR) investigations for clients.

"We noticed attackers this year were pretty brazen and stealthy: Eighty-six days [before getting discovered] is still a problem," even when victim organizations are getting better at self-detection, says Tom Etheridge, vice president of services for CrowdStrike. The number of hacked organizations that spotted their own attacks rose 7% this year over those from CrowdStrike Services' IR engagements in 2017.

"It doesn't mean [organizations] are preventing breaches, but they have better tools and visibility for detecting breaches,” he says. "Dwell time is still a problem. So even though self-detection is getting better ... an attacker in the organization for 85 days is not ideal."

CrowdStrike recommends what it calls the 1-10-60 rule: Detect an attack on your organization within one minute, take 10 minutes to investigate it, and then remediate it within 60 minutes. "Organizations that can operate at this level will dramatically improve their chances of staying ahead of the adversary and stopping a potential breach from occurring," the company wrote in its case report.

Attacker Behavior
One-third of all the IR cases CrowdStrike investigated had employed social engineering and phishing - an increase of 11% over last year's cases. The main methods of social engineering were business email compromise (BEC) attacks and nation-states employing spear-phishing to gain a foothold in their targets' networks, according to the data. Plain, old commodity malware such as TrickBot was also a big tool used in many of the attacks to get an initial foothold into the networks - either to infiltrate further or to sell access to other cybercriminals or nation-state hackers for ransomware attacks, intellectual property theft, extortion, fraud, or cryptomining attacks.

"Commodity malware was really a precursor of another type of threat actor or to stay active [in the target's network]," Etheridge says. "They use [the malware] at a later date for other campaigns that monetize that access, or they sell that access to another threat actor toward its campaign to monetize IP or information."

The stealthiest attacks on organizations were ones that culled legitimate credentials from their targets and skillfully used them. CrowdStrike saw plenty of cases of attackers also employing legitimate tools in the victim's network, such as PowerShell and Windows Management Instrumentation, as another way to camouflage their activity.

"They remain dormant and take advantage of it for an extended period of time," Etheridge explains. "And they are understanding the tools the [target] has and knows them even better than they do."

Carbanak/Carbon Spider
Take the case of one of CrowdStrike's large retailer clients that was hacked by the infamous and sophisticated Carbanak, aka Carbon Spider, cybercrime organization. Carbanak had hidden inside the retailer's massive global network infrastructure for several years, waging a massive gift card fraud operation.

When the retailer finally noticed it had been breached, it called in CrowdStrike, which first spotted an administrative user's Office 365 mail account being used for credential harvesting. The attackers had abused the user's cached Active Directory Federated Services credentials and ran Mimikatz to steal other privileged accounts, including those of the retailer's ServiceNow account. Among other systems, Carbanak had access to the retailer's IT team systems to monitor and track changes to the network. It even had access to TeamViewer and ScreenConnect to spy on incident response and interact with targeted machine.

"This adversary employed a 'living off the land' methodology to remotely access systems, using system native and the same tools that the client's IT support teams used legitimately," CrowdStrike wrote in its report.

The Carbanak attackers even searched the retailer's ServiceNow IT ticketing system for information on gift cards.

"The customer had believed it had quelled the attack and extracted the attacker," Etheridge says. "But the attacker remained persistent in the customer's environment to monitor ServiceNow and to actually look at email traffic from the fraud department - all using legitimate credentials."

Remediate, Then Investigate
Some organizations, under pressure to get back up and running quickly after an attack, are choosing to remediate their systems after an attack before bringing in CrowdStrike to investigate it, Etheridge says. Those that take that approach typically aren't facing any monetary losses from the attack.

"They're looking to remediate before they investigate," he says. "There's a little bit of a balancing act for engaging the right solution for that account."

The risk with that approach is that an attacker could still remain hidden in the network. The best bet is for organization to plan for an attacker that just won't go away: "You need to make sure you maintain visibility and control" to monitor that, Etheridge  says, as well as deploy two-factor authentication to better protect credentials, and lock down infrastructure controls, such as firewall settings. Proactive threat hunting can also give organizations a leg up on a persistent attacker, he notes.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/8/2019 | 12:52:29 AM
Stay vigilant and attentive
I am a little confused here - if it isn't your organization that detects that an attack is going on, who else would? The customers? I mean what's important here is that you should have a team that's vigilant against all attacks against your system and facility. That's the kind of service that you should be paying for in any case right?
User Rank: Strategist
1/2/2019 | 10:24:27 PM
Stepping up
It is good to see an increasing number of organisations really stepping up their cybersecurity game in view of recent hikes in data breaches. Hopefully this whole viewpoint would deter attackers to drill down the figures to a bare minimal. Perhaps it could take ages but at least we are seeing progress which is definitely a good start.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.