Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/30/2020
10:00 AM
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Attacker Dwell Time: Ransomware's Most Important Metric

How to bolster security defenses by zeroing in on the length of time an interloper remains undetected inside your network.

Ransomware remains one of the most pervasive and insidious security threats to enterprise organizations. In 2020 alone, dozens of brands, from Garmin to Jack Daniels, have been forced to disclose that their networks were breached and their data encrypted by a motley crew of global criminal organizations. 

While much of the attention around ransomware attacks has focused on the methods by which threat actors worm their way inside the network, one critical aspect of these attacks is often overlooked: attacker dwell time, which represents the length of time an interloper remains undetected inside the network.

Related Content:

Deadly Ransomware Story Continues to Unfold

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: A Hacker's Playlist

For the better part of the last decade, the majority of ransomware attacks were of the smash-and-grab variety in which the successfully deployed malicious file would encrypt as many files and machines as quickly possible before revealing itself in the form of a lock screen. More recently, ransomware operators are sticking around, lurking in the network shadows to conduct reconnaissance and patiently lying in wait in order to identify higher-value assets to compromise.

While the average attack dwell time for ransomware is relatively brief compared to other malware strains — 43 days on average for ransomware versus months or even years for more persistent threats — each passing day that it remains undetected presents an attacker with new opportunities to unleash their wrath and line their pocketbooks.

A New Generation of Emboldened Attackers
Over the past decade, ransomware has become the preferred malware vehicle for hackers and criminal organizations alike. Not only are there tens of thousands of variants that security teams need to defend against, but the threat actors themselves are no longer following the same playbook. 

The group behind the Sodinokibi strain of ransomware is but one example of an operator that has succeeded in finding creative ways to maximize their returns by stealing data before crypto-locking a target's systems and then threatening to leak or auction stolen data unless their victims pay up.

Other criminal groups such as REvil have essentially democratized ransomware by making it dead simple for wannabe hackers and script kiddies to perpetrate their own attacks by offering affordable and easy-to-use malware-as-a-service subscription. These models also enable the operators to further monetize their efforts by employing affiliate models in which they receive a percentage of any ransoms paid — and offload their risk since they are not themselves spearheading the attack.

Ransomware operators are also feeling emboldened by the massive number of people now working remotely due to the pandemic, exploiting known security vulnerabilities in remote-desktop protocols, and preying on the poor security practices of a workforce that is unfamiliar with proper remote security protocols.

Why Attacker Dwell Time Is a Critical Metric
As ransomware operators shift their objectives to a quality over quantity approach, so must the focus of security teams evolve from a mindset of keeping threat actors out at all costs to assuming they're already inside. 

When attackers are able to remain undetected inside a network they may spend weeks or months exploring it in depth, trying to escalate privileges and leverage those permissions to push ransomware onto as many endpoint devices as possible. They can also use this time to identify critical network resources, such as system backups, network segments storing sensitive data, and other key systems that can be used to disseminate their ransomware widely. 

3 Ways to Reduce Attacker Dwell Time
While an ounce of prevention is certainly worth a pound of cure, security teams must re-think the existing security paradigm of trying to keep attackers out of key networking assets and rather assume that they are already inside. The goal of course is to keep bad actors out but as Mike Tyson elegantly put it, "Everyone's got a plan until they get hit in the face." 

So while it may not be possible to always keep intruders out entirely, you can take some immediate steps to limit its impact by embracing some of the following initiatives:

  • Intentionally Measure Compromise: Regular penetration testing and threat hunting are the hallmarks of a mature security practice, yet they are also out of reach for many. Adopting a framework of continuous compromise assessment enables security teams to integrate the various network and event management feeds that an enterprise already collects so they can measure their compromise level at a more granular level.
  • Correlate Network Intelligence: Attackers use the network as their port of entry and also must use it to move laterally, communicate with their command servers, and eventually exfiltrate data. All of this movement throws off scraps of metadata, whether from trying to resolve a DNS query or scanning the firewall for open ports. By correlating these small bits of data into a unified view, network defenders can make a clear determination as to whether their network is communicating with an adversary's infrastructure. 
  • Enforce a Zero Trust Framework: Zero trust is among the hottest topics in network security as it seeks to replace the conventional trust-but-verify model with a software-defined layer that can more easily enforce least-privilege access and micro-segmentation across the network. From the perspective of a ransomware attack, this will make it much more difficult for an attacker to hop across the network and escalate privileges. 

Ransomware operators will no doubt continue to find novel ways to breach the network and plant their executables. The real challenge won't be halting them outside the gate but rather to illuminate the many blind spots in the network so we can prevent minor incidents from becoming full-blown data breaches.

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CDVillan
50%
50%
CDVillan,
User Rank: Apprentice
10/1/2020 | 10:34:41 AM
Detailed Input on Attackers
Nice emphasis and importance on attacker dwell time
fernandocuervo1
100%
0%
fernandocuervo1,
User Rank: Apprentice
9/30/2020 | 4:34:28 PM
Amazing blog
Insightful information about ransomware and how to detect it faster. 
mlobato1285
100%
0%
mlobato1285,
User Rank: Apprentice
9/30/2020 | 4:05:18 PM
Interesting perspective
Good read and perspective on ransomware's direct correlation with dwell time. 
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...