Ransomware remains one of the most pervasive and insidious security threats to enterprise organizations. In 2020 alone, dozens of brands, from Garmin to Jack Daniels, have been forced to disclose that their networks were breached and their data encrypted by a motley crew of global criminal organizations.
While much of the attention around ransomware attacks has focused on the methods by which threat actors worm their way inside the network, one critical aspect of these attacks is often overlooked: attacker dwell time, which represents the length of time an interloper remains undetected inside the network.
For the better part of the last decade, the majority of ransomware attacks were of the smash-and-grab variety in which the successfully deployed malicious file would encrypt as many files and machines as quickly possible before revealing itself in the form of a lock screen. More recently, ransomware operators are sticking around, lurking in the network shadows to conduct reconnaissance and patiently lying in wait in order to identify higher-value assets to compromise.
While the average attack dwell time for ransomware is relatively brief compared to other malware strains — 43 days on average for ransomware versus months or even years for more persistent threats — each passing day that it remains undetected presents an attacker with new opportunities to unleash their wrath and line their pocketbooks.
A New Generation of Emboldened Attackers
Over the past decade, ransomware has become the preferred malware vehicle for hackers and criminal organizations alike. Not only are there tens of thousands of variants that security teams need to defend against, but the threat actors themselves are no longer following the same playbook.
The group behind the Sodinokibi strain of ransomware is but one example of an operator that has succeeded in finding creative ways to maximize their returns by stealing data before crypto-locking a target's systems and then threatening to leak or auction stolen data unless their victims pay up.
Other criminal groups such as REvil have essentially democratized ransomware by making it dead simple for wannabe hackers and script kiddies to perpetrate their own attacks by offering affordable and easy-to-use malware-as-a-service subscription. These models also enable the operators to further monetize their efforts by employing affiliate models in which they receive a percentage of any ransoms paid — and offload their risk since they are not themselves spearheading the attack.
Ransomware operators are also feeling emboldened by the massive number of people now working remotely due to the pandemic, exploiting known security vulnerabilities in remote-desktop protocols, and preying on the poor security practices of a workforce that is unfamiliar with proper remote security protocols.
Why Attacker Dwell Time Is a Critical Metric
As ransomware operators shift their objectives to a quality over quantity approach, so must the focus of security teams evolve from a mindset of keeping threat actors out at all costs to assuming they're already inside.
When attackers are able to remain undetected inside a network they may spend weeks or months exploring it in depth, trying to escalate privileges and leverage those permissions to push ransomware onto as many endpoint devices as possible. They can also use this time to identify critical network resources, such as system backups, network segments storing sensitive data, and other key systems that can be used to disseminate their ransomware widely.
3 Ways to Reduce Attacker Dwell Time
While an ounce of prevention is certainly worth a pound of cure, security teams must re-think the existing security paradigm of trying to keep attackers out of key networking assets and rather assume that they are already inside. The goal of course is to keep bad actors out but as Mike Tyson elegantly put it, "Everyone's got a plan until they get hit in the face."
So while it may not be possible to always keep intruders out entirely, you can take some immediate steps to limit its impact by embracing some of the following initiatives:
- Intentionally Measure Compromise: Regular penetration testing and threat hunting are the hallmarks of a mature security practice, yet they are also out of reach for many. Adopting a framework of continuous compromise assessment enables security teams to integrate the various network and event management feeds that an enterprise already collects so they can measure their compromise level at a more granular level.
- Correlate Network Intelligence: Attackers use the network as their port of entry and also must use it to move laterally, communicate with their command servers, and eventually exfiltrate data. All of this movement throws off scraps of metadata, whether from trying to resolve a DNS query or scanning the firewall for open ports. By correlating these small bits of data into a unified view, network defenders can make a clear determination as to whether their network is communicating with an adversary's infrastructure.
- Enforce a Zero Trust Framework: Zero trust is among the hottest topics in network security as it seeks to replace the conventional trust-but-verify model with a software-defined layer that can more easily enforce least-privilege access and micro-segmentation across the network. From the perspective of a ransomware attack, this will make it much more difficult for an attacker to hop across the network and escalate privileges.
Ransomware operators will no doubt continue to find novel ways to breach the network and plant their executables. The real challenge won't be halting them outside the gate but rather to illuminate the many blind spots in the network so we can prevent minor incidents from becoming full-blown data breaches.