Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/30/2020
10:00 AM
Connect Directly
LinkedIn
Twitter
Facebook
RSS
E-Mail vvv
100%
0%

Attacker Dwell Time: Ransomware's Most Important Metric

How to bolster security defenses by zeroing in on the length of time an interloper remains undetected inside your network.

Ransomware remains one of the most pervasive and insidious security threats to enterprise organizations. In 2020 alone, dozens of brands, from Garmin to Jack Daniels, have been forced to disclose that their networks were breached and their data encrypted by a motley crew of global criminal organizations. 

While much of the attention around ransomware attacks has focused on the methods by which threat actors worm their way inside the network, one critical aspect of these attacks is often overlooked: attacker dwell time, which represents the length of time an interloper remains undetected inside the network.

Related Content:

Deadly Ransomware Story Continues to Unfold

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: A Hacker's Playlist

For the better part of the last decade, the majority of ransomware attacks were of the smash-and-grab variety in which the successfully deployed malicious file would encrypt as many files and machines as quickly possible before revealing itself in the form of a lock screen. More recently, ransomware operators are sticking around, lurking in the network shadows to conduct reconnaissance and patiently lying in wait in order to identify higher-value assets to compromise.

While the average attack dwell time for ransomware is relatively brief compared to other malware strains — 43 days on average for ransomware versus months or even years for more persistent threats — each passing day that it remains undetected presents an attacker with new opportunities to unleash their wrath and line their pocketbooks.

A New Generation of Emboldened Attackers
Over the past decade, ransomware has become the preferred malware vehicle for hackers and criminal organizations alike. Not only are there tens of thousands of variants that security teams need to defend against, but the threat actors themselves are no longer following the same playbook. 

The group behind the Sodinokibi strain of ransomware is but one example of an operator that has succeeded in finding creative ways to maximize their returns by stealing data before crypto-locking a target's systems and then threatening to leak or auction stolen data unless their victims pay up.

Other criminal groups such as REvil have essentially democratized ransomware by making it dead simple for wannabe hackers and script kiddies to perpetrate their own attacks by offering affordable and easy-to-use malware-as-a-service subscription. These models also enable the operators to further monetize their efforts by employing affiliate models in which they receive a percentage of any ransoms paid — and offload their risk since they are not themselves spearheading the attack.

Ransomware operators are also feeling emboldened by the massive number of people now working remotely due to the pandemic, exploiting known security vulnerabilities in remote-desktop protocols, and preying on the poor security practices of a workforce that is unfamiliar with proper remote security protocols.

Why Attacker Dwell Time Is a Critical Metric
As ransomware operators shift their objectives to a quality over quantity approach, so must the focus of security teams evolve from a mindset of keeping threat actors out at all costs to assuming they're already inside. 

When attackers are able to remain undetected inside a network they may spend weeks or months exploring it in depth, trying to escalate privileges and leverage those permissions to push ransomware onto as many endpoint devices as possible. They can also use this time to identify critical network resources, such as system backups, network segments storing sensitive data, and other key systems that can be used to disseminate their ransomware widely. 

3 Ways to Reduce Attacker Dwell Time
While an ounce of prevention is certainly worth a pound of cure, security teams must re-think the existing security paradigm of trying to keep attackers out of key networking assets and rather assume that they are already inside. The goal of course is to keep bad actors out but as Mike Tyson elegantly put it, "Everyone's got a plan until they get hit in the face." 

So while it may not be possible to always keep intruders out entirely, you can take some immediate steps to limit its impact by embracing some of the following initiatives:

  • Intentionally Measure Compromise: Regular penetration testing and threat hunting are the hallmarks of a mature security practice, yet they are also out of reach for many. Adopting a framework of continuous compromise assessment enables security teams to integrate the various network and event management feeds that an enterprise already collects so they can measure their compromise level at a more granular level.
  • Correlate Network Intelligence: Attackers use the network as their port of entry and also must use it to move laterally, communicate with their command servers, and eventually exfiltrate data. All of this movement throws off scraps of metadata, whether from trying to resolve a DNS query or scanning the firewall for open ports. By correlating these small bits of data into a unified view, network defenders can make a clear determination as to whether their network is communicating with an adversary's infrastructure. 
  • Enforce a Zero Trust Framework: Zero trust is among the hottest topics in network security as it seeks to replace the conventional trust-but-verify model with a software-defined layer that can more easily enforce least-privilege access and micro-segmentation across the network. From the perspective of a ransomware attack, this will make it much more difficult for an attacker to hop across the network and escalate privileges. 

Ransomware operators will no doubt continue to find novel ways to breach the network and plant their executables. The real challenge won't be halting them outside the gate but rather to illuminate the many blind spots in the network so we can prevent minor incidents from becoming full-blown data breaches.

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CDVillan
50%
50%
CDVillan,
User Rank: Apprentice
10/1/2020 | 10:34:41 AM
Detailed Input on Attackers
Nice emphasis and importance on attacker dwell time
fernandocuervo1
100%
0%
fernandocuervo1,
User Rank: Apprentice
9/30/2020 | 4:34:28 PM
Amazing blog
Insightful information about ransomware and how to detect it faster. 
mlobato1285
100%
0%
mlobato1285,
User Rank: Apprentice
9/30/2020 | 4:05:18 PM
Interesting perspective
Good read and perspective on ransomware's direct correlation with dwell time. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27187
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
CVE-2020-7752
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
CVE-2020-7127
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
CVE-2020-7196
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
CVE-2020-7197
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* U...