Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/11/2018
08:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

CrowdStrike: More Organizations Now Self-Detect Their Own Cyberattacks

But it still takes an average of 85 days to spot one, the security firm's incident response investigations found.

The good news: Three-quarters of enterprises this year discovered on their own they had been hacked rather than learning from a third party. The bad news: It took them an average of 85 days to spot an attack.

That means hackers still have the upper hand. What's more, they only need less than two hours, on average, to move from the initially attacked machine to further inside a target's network, according to CrowdStrike, which today published its "Cyber Intrusion Services Casebook, 2018," a report on a sampling of its real-world incident response (IR) investigations for clients.

"We noticed attackers this year were pretty brazen and stealthy: Eighty-six days [before getting discovered] is still a problem," even when victim organizations are getting better at self-detection, says Tom Etheridge, vice president of services for CrowdStrike. The number of hacked organizations that spotted their own attacks rose 7% this year over those from CrowdStrike Services' IR engagements in 2017.

"It doesn't mean [organizations] are preventing breaches, but they have better tools and visibility for detecting breaches,” he says. "Dwell time is still a problem. So even though self-detection is getting better ... an attacker in the organization for 85 days is not ideal."

CrowdStrike recommends what it calls the 1-10-60 rule: Detect an attack on your organization within one minute, take 10 minutes to investigate it, and then remediate it within 60 minutes. "Organizations that can operate at this level will dramatically improve their chances of staying ahead of the adversary and stopping a potential breach from occurring," the company wrote in its case report.

Attacker Behavior
One-third of all the IR cases CrowdStrike investigated had employed social engineering and phishing - an increase of 11% over last year's cases. The main methods of social engineering were business email compromise (BEC) attacks and nation-states employing spear-phishing to gain a foothold in their targets' networks, according to the data. Plain, old commodity malware such as TrickBot was also a big tool used in many of the attacks to get an initial foothold into the networks - either to infiltrate further or to sell access to other cybercriminals or nation-state hackers for ransomware attacks, intellectual property theft, extortion, fraud, or cryptomining attacks.

"Commodity malware was really a precursor of another type of threat actor or to stay active [in the target's network]," Etheridge says. "They use [the malware] at a later date for other campaigns that monetize that access, or they sell that access to another threat actor toward its campaign to monetize IP or information."

The stealthiest attacks on organizations were ones that culled legitimate credentials from their targets and skillfully used them. CrowdStrike saw plenty of cases of attackers also employing legitimate tools in the victim's network, such as PowerShell and Windows Management Instrumentation, as another way to camouflage their activity.

"They remain dormant and take advantage of it for an extended period of time," Etheridge explains. "And they are understanding the tools the [target] has and knows them even better than they do."

Carbanak/Carbon Spider
Take the case of one of CrowdStrike's large retailer clients that was hacked by the infamous and sophisticated Carbanak, aka Carbon Spider, cybercrime organization. Carbanak had hidden inside the retailer's massive global network infrastructure for several years, waging a massive gift card fraud operation.

When the retailer finally noticed it had been breached, it called in CrowdStrike, which first spotted an administrative user's Office 365 mail account being used for credential harvesting. The attackers had abused the user's cached Active Directory Federated Services credentials and ran Mimikatz to steal other privileged accounts, including those of the retailer's ServiceNow account. Among other systems, Carbanak had access to the retailer's IT team systems to monitor and track changes to the network. It even had access to TeamViewer and ScreenConnect to spy on incident response and interact with targeted machine.

"This adversary employed a 'living off the land' methodology to remotely access systems, using system native and the same tools that the client's IT support teams used legitimately," CrowdStrike wrote in its report.

The Carbanak attackers even searched the retailer's ServiceNow IT ticketing system for information on gift cards.

"The customer had believed it had quelled the attack and extracted the attacker," Etheridge says. "But the attacker remained persistent in the customer's environment to monitor ServiceNow and to actually look at email traffic from the fraud department - all using legitimate credentials."

Remediate, Then Investigate
Some organizations, under pressure to get back up and running quickly after an attack, are choosing to remediate their systems after an attack before bringing in CrowdStrike to investigate it, Etheridge says. Those that take that approach typically aren't facing any monetary losses from the attack.

"They're looking to remediate before they investigate," he says. "There's a little bit of a balancing act for engaging the right solution for that account."

The risk with that approach is that an attacker could still remain hidden in the network. The best bet is for organization to plan for an attacker that just won't go away: "You need to make sure you maintain visibility and control" to monitor that, Etheridge  says, as well as deploy two-factor authentication to better protect credentials, and lock down infrastructure controls, such as firewall settings. Proactive threat hunting can also give organizations a leg up on a persistent attacker, he notes.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
1/8/2019 | 12:52:29 AM
Stay vigilant and attentive
I am a little confused here - if it isn't your organization that detects that an attack is going on, who else would? The customers? I mean what's important here is that you should have a team that's vigilant against all attacks against your system and facility. That's the kind of service that you should be paying for in any case right?
markgrogan
50%
50%
markgrogan,
User Rank: Strategist
1/2/2019 | 10:24:27 PM
Stepping up
It is good to see an increasing number of organisations really stepping up their cybersecurity game in view of recent hikes in data breaches. Hopefully this whole viewpoint would deter attackers to drill down the figures to a bare minimal. Perhaps it could take ages but at least we are seeing progress which is definitely a good start.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.