Jun 27 2019

Why Cybersecurity Teams Must Account for Breakout Time

Increasingly savvy and quicker than ever, threat actors are upping the ante when it comes to how long organizations have to stop intrusions before they spread.

A text message delivers in 1 to 3 seconds. A Tesla accelerates from 0 to 60 mph in 2.5 seconds. A Cheetah runs a mile in 90 seconds. The world is built for speed, but what happens when the bad actors of the cybersecurity world — nation-states, e-criminals, ideologically motivated hacktivists — get a taste of that need for speed?

In 2018, the average breakout time — a measure of the speed at which adversaries accomplish lateral movement in the victim’s environment after the initial compromise — was 4 hours and 37 minutes across all intrusions and threat actors, according to the 2019 Global Threat Report from cloud-native endpoint protection vendor CrowdStrike.

Compared to the previous year, when CrowdStrike reported an average breakout time of less than 2 hours, the increased breakout time demonstrates a function of more slow-moving threat actors in the cybercrime ecosystem and organizations’ increased deployment of next-generation endpoint security technologies for detecting and stopping intrusions. 

But for businesses of all types, breakout time remains a major concern. The sooner an intrusion is detected and isolated, the less damage it can cause, and even a four-hour period between penetration and breakout represents a major challenge.

CrowdStrike found the most secure companies identified threats within 1 minute, responded to them within 10 minutes and neutralized them within 60 minutes. Those that can meet this 1-10-60 standard “will be able to stay ahead of their adversary and stop a potential breach from occurring,” the company says. 

Defenders “can’t waste a second when dealing with fast-moving actors, such as those affiliated with the Russian government,” the report says. It also cautions that, as defenders get better at hunting for and identifying intrusions, threat actors will keep trying to accomplish their mission as rapidly as possible.

MORE FROM BIZTECH: Update your cybersecurity response plan before an attack occurs.

Nation-States Continue to Increase Their Hacking Activity

CrowdStrike’s report compares the breakout speeds of Russian, Chinese, North Korean and Iranian bad actors, as well as others in the global cybercrime ecosystem. Among nation-states, Russia led the pack with its Bear group intrusions, which had an average breakout time of just 18 minutes and 49 seconds, based on what CrowdStrike saw among customers of its Falcon OverWatch platform. 

“The Bear adversary group tended to be the fastest in terms of being able to move from their beachhead laterally into a particular environment,” said Jennifer Ayers, vice president of Falcon OverWatch and Security Response, during a recent webinar. 

State-sponsored breakouts by North Korean entities operating various Chollima adversary groups have some of the shortest breakout times — just 2 hours and 20 minutes. These groups attack the financial sector through cryptocurrency and monetized fraudulent SWIFT transfers and ATM cash-outs. 

CDW Cybersecurity Insight Report

Some Industries Are at Greater Cybersecurity Risk

Every business must be equipped to act quickly against threats. But some industries rank higher than others in state-sponsored intruders’ sights. 

In the telecom industry, for example, infiltrators could have an impact through direct targeting; compromising vulnerable telecommunications equipment; or using lures referencing telecom services to support intelligence collection of personally identifiable information or to perform reconnaissance on network nodes connected to infected devices.

Conducting operations targeted at the telecom industry is a “force multiplier,” said Adam Meyers, vice president of intelligence at CrowdStrike; it opens the door to those who use ISPs — a huge customer base. 

Breakout times for ransomware attacks are down to 9 hours and 42 minutes. Though that may not seem very fast, ransomware can be deployed across hundreds of systems in an organization, making it ripe for cybercriminals to reap major gains. Cybercrime operators using various Spider ransomware intrusions, for example, are estimated to have collected revenues to date of $11.9 million in their campaigns.

Breakout times are ultimately all about survival of the fastest. Knowing how quickly the strongest bad actors can compromise systems allows organizations not only to meet the 1-10-60 standard for responding to threats but also (as CrowdStrike indicates) to “adjust their target response times to meet their individual needs, based in part on which adversary types they are most likely to confront in their given business sector and regional focus.”

Getty Images / stevanovicigor

aaa 1