Perimeter

12/11/2018
08:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

CrowdStrike: More Organizations Now Self-Detect Their Own Cyberattacks

But it still takes an average of 85 days to spot one, the security firm's incident response investigations found.

The good news: Three-quarters of enterprises this year discovered on their own they had been hacked rather than learning from a third party. The bad news: It took them an average of 85 days to spot an attack.

That means hackers still have the upper hand. What's more, they only need less than two hours, on average, to move from the initially attacked machine to further inside a target's network, according to CrowdStrike, which today published its "Cyber Intrusion Services Casebook, 2018," a report on a sampling of its real-world incident response (IR) investigations for clients.

"We noticed attackers this year were pretty brazen and stealthy: Eighty-six days [before getting discovered] is still a problem," even when victim organizations are getting better at self-detection, says Tom Etheridge, vice president of services for CrowdStrike. The number of hacked organizations that spotted their own attacks rose 7% this year over those from CrowdStrike Services' IR engagements in 2017.

"It doesn't mean [organizations] are preventing breaches, but they have better tools and visibility for detecting breaches,” he says. "Dwell time is still a problem. So even though self-detection is getting better ... an attacker in the organization for 85 days is not ideal."

CrowdStrike recommends what it calls the 1-10-60 rule: Detect an attack on your organization within one minute, take 10 minutes to investigate it, and then remediate it within 60 minutes. "Organizations that can operate at this level will dramatically improve their chances of staying ahead of the adversary and stopping a potential breach from occurring," the company wrote in its case report.

Attacker Behavior
One-third of all the IR cases CrowdStrike investigated had employed social engineering and phishing - an increase of 11% over last year's cases. The main methods of social engineering were business email compromise (BEC) attacks and nation-states employing spear-phishing to gain a foothold in their targets' networks, according to the data. Plain, old commodity malware such as TrickBot was also a big tool used in many of the attacks to get an initial foothold into the networks - either to infiltrate further or to sell access to other cybercriminals or nation-state hackers for ransomware attacks, intellectual property theft, extortion, fraud, or cryptomining attacks.

"Commodity malware was really a precursor of another type of threat actor or to stay active [in the target's network]," Etheridge says. "They use [the malware] at a later date for other campaigns that monetize that access, or they sell that access to another threat actor toward its campaign to monetize IP or information."

The stealthiest attacks on organizations were ones that culled legitimate credentials from their targets and skillfully used them. CrowdStrike saw plenty of cases of attackers also employing legitimate tools in the victim's network, such as PowerShell and Windows Management Instrumentation, as another way to camouflage their activity.

"They remain dormant and take advantage of it for an extended period of time," Etheridge explains. "And they are understanding the tools the [target] has and knows them even better than they do."

Carbanak/Carbon Spider
Take the case of one of CrowdStrike's large retailer clients that was hacked by the infamous and sophisticated Carbanak, aka Carbon Spider, cybercrime organization. Carbanak had hidden inside the retailer's massive global network infrastructure for several years, waging a massive gift card fraud operation.

When the retailer finally noticed it had been breached, it called in CrowdStrike, which first spotted an administrative user's Office 365 mail account being used for credential harvesting. The attackers had abused the user's cached Active Directory Federated Services credentials and ran Mimikatz to steal other privileged accounts, including those of the retailer's ServiceNow account. Among other systems, Carbanak had access to the retailer's IT team systems to monitor and track changes to the network. It even had access to TeamViewer and ScreenConnect to spy on incident response and interact with targeted machine.

"This adversary employed a 'living off the land' methodology to remotely access systems, using system native and the same tools that the client's IT support teams used legitimately," CrowdStrike wrote in its report.

The Carbanak attackers even searched the retailer's ServiceNow IT ticketing system for information on gift cards.

"The customer had believed it had quelled the attack and extracted the attacker," Etheridge says. "But the attacker remained persistent in the customer's environment to monitor ServiceNow and to actually look at email traffic from the fraud department - all using legitimate credentials."

Remediate, Then Investigate
Some organizations, under pressure to get back up and running quickly after an attack, are choosing to remediate their systems after an attack before bringing in CrowdStrike to investigate it, Etheridge says. Those that take that approach typically aren't facing any monetary losses from the attack.

"They're looking to remediate before they investigate," he says. "There's a little bit of a balancing act for engaging the right solution for that account."

The risk with that approach is that an attacker could still remain hidden in the network. The best bet is for organization to plan for an attacker that just won't go away: "You need to make sure you maintain visibility and control" to monitor that, Etheridge  says, as well as deploy two-factor authentication to better protect credentials, and lock down infrastructure controls, such as firewall settings. Proactive threat hunting can also give organizations a leg up on a persistent attacker, he notes.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ritu_G
50%
50%
Ritu_G,
User Rank: Apprentice
1/8/2019 | 12:52:29 AM
Stay vigilant and attentive
I am a little confused here - if it isn't your organization that detects that an attack is going on, who else would? The customers? I mean what's important here is that you should have a team that's vigilant against all attacks against your system and facility. That's the kind of service that you should be paying for in any case right?
markgrogan
50%
50%
markgrogan,
User Rank: Apprentice
1/2/2019 | 10:24:27 PM
Stepping up
It is good to see an increasing number of organisations really stepping up their cybersecurity game in view of recent hikes in data breaches. Hopefully this whole viewpoint would deter attackers to drill down the figures to a bare minimal. Perhaps it could take ages but at least we are seeing progress which is definitely a good start.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
CVE-2019-9925
PUBLISHED: 2019-03-22
S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.
CVE-2019-9927
PUBLISHED: 2019-03-22
Caret before 2019-02-22 allows Remote Code Execution.
CVE-2019-9936
PUBLISHED: 2019-03-22
In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.