Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/30/2020
10:00 AM
Connect Directly
LinkedIn
Twitter
Facebook
RSS
E-Mail vvv
100%
0%

Attacker Dwell Time: Ransomware's Most Important Metric

How to bolster security defenses by zeroing in on the length of time an interloper remains undetected inside your network.

Ransomware remains one of the most pervasive and insidious security threats to enterprise organizations. In 2020 alone, dozens of brands, from Garmin to Jack Daniels, have been forced to disclose that their networks were breached and their data encrypted by a motley crew of global criminal organizations. 

While much of the attention around ransomware attacks has focused on the methods by which threat actors worm their way inside the network, one critical aspect of these attacks is often overlooked: attacker dwell time, which represents the length of time an interloper remains undetected inside the network.

Related Content:

Deadly Ransomware Story Continues to Unfold

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: A Hacker's Playlist

For the better part of the last decade, the majority of ransomware attacks were of the smash-and-grab variety in which the successfully deployed malicious file would encrypt as many files and machines as quickly possible before revealing itself in the form of a lock screen. More recently, ransomware operators are sticking around, lurking in the network shadows to conduct reconnaissance and patiently lying in wait in order to identify higher-value assets to compromise.

While the average attack dwell time for ransomware is relatively brief compared to other malware strains — 43 days on average for ransomware versus months or even years for more persistent threats — each passing day that it remains undetected presents an attacker with new opportunities to unleash their wrath and line their pocketbooks.

A New Generation of Emboldened Attackers
Over the past decade, ransomware has become the preferred malware vehicle for hackers and criminal organizations alike. Not only are there tens of thousands of variants that security teams need to defend against, but the threat actors themselves are no longer following the same playbook. 

The group behind the Sodinokibi strain of ransomware is but one example of an operator that has succeeded in finding creative ways to maximize their returns by stealing data before crypto-locking a target's systems and then threatening to leak or auction stolen data unless their victims pay up.

Other criminal groups such as REvil have essentially democratized ransomware by making it dead simple for wannabe hackers and script kiddies to perpetrate their own attacks by offering affordable and easy-to-use malware-as-a-service subscription. These models also enable the operators to further monetize their efforts by employing affiliate models in which they receive a percentage of any ransoms paid — and offload their risk since they are not themselves spearheading the attack.

Ransomware operators are also feeling emboldened by the massive number of people now working remotely due to the pandemic, exploiting known security vulnerabilities in remote-desktop protocols, and preying on the poor security practices of a workforce that is unfamiliar with proper remote security protocols.

Why Attacker Dwell Time Is a Critical Metric
As ransomware operators shift their objectives to a quality over quantity approach, so must the focus of security teams evolve from a mindset of keeping threat actors out at all costs to assuming they're already inside. 

When attackers are able to remain undetected inside a network they may spend weeks or months exploring it in depth, trying to escalate privileges and leverage those permissions to push ransomware onto as many endpoint devices as possible. They can also use this time to identify critical network resources, such as system backups, network segments storing sensitive data, and other key systems that can be used to disseminate their ransomware widely. 

3 Ways to Reduce Attacker Dwell Time
While an ounce of prevention is certainly worth a pound of cure, security teams must re-think the existing security paradigm of trying to keep attackers out of key networking assets and rather assume that they are already inside. The goal of course is to keep bad actors out but as Mike Tyson elegantly put it, "Everyone's got a plan until they get hit in the face." 

So while it may not be possible to always keep intruders out entirely, you can take some immediate steps to limit its impact by embracing some of the following initiatives:

  • Intentionally Measure Compromise: Regular penetration testing and threat hunting are the hallmarks of a mature security practice, yet they are also out of reach for many. Adopting a framework of continuous compromise assessment enables security teams to integrate the various network and event management feeds that an enterprise already collects so they can measure their compromise level at a more granular level.
  • Correlate Network Intelligence: Attackers use the network as their port of entry and also must use it to move laterally, communicate with their command servers, and eventually exfiltrate data. All of this movement throws off scraps of metadata, whether from trying to resolve a DNS query or scanning the firewall for open ports. By correlating these small bits of data into a unified view, network defenders can make a clear determination as to whether their network is communicating with an adversary's infrastructure. 
  • Enforce a Zero Trust Framework: Zero trust is among the hottest topics in network security as it seeks to replace the conventional trust-but-verify model with a software-defined layer that can more easily enforce least-privilege access and micro-segmentation across the network. From the perspective of a ransomware attack, this will make it much more difficult for an attacker to hop across the network and escalate privileges. 

Ransomware operators will no doubt continue to find novel ways to breach the network and plant their executables. The real challenge won't be halting them outside the gate but rather to illuminate the many blind spots in the network so we can prevent minor incidents from becoming full-blown data breaches.

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CDVillan
50%
50%
CDVillan,
User Rank: Apprentice
10/1/2020 | 10:34:41 AM
Detailed Input on Attackers
Nice emphasis and importance on attacker dwell time
fernandocuervo1
100%
0%
fernandocuervo1,
User Rank: Apprentice
9/30/2020 | 4:34:28 PM
Amazing blog
Insightful information about ransomware and how to detect it faster. 
mlobato1285
100%
0%
mlobato1285,
User Rank: Apprentice
9/30/2020 | 4:05:18 PM
Interesting perspective
Good read and perspective on ransomware's direct correlation with dwell time. 
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.