Russian bears lead the way when it comes to gaining enough of a foothold in your networks to perform a successful data breach according to the 2019 Global Threat Report from CrowdStrike. This matters, because having an understanding of how quickly the bad guys can move across your networks is vital in getting to grips with the 1-10-60 rule. And that determines how likely you are to stop them succeeding in breaching your data.
The CrowdStrike Threat Graph, a massively scalable and cloud-based database, is described as being the brains behind the breakout time metric: a measurement of the speed that threat actors are able to move laterally within the targeted environment following the initial compromise and start propagating advanced exploits. The breakout time is of huge importance when it comes to securing networks as it represents the defensive window of opportunity; the time limit for defenders to respond, contain or remediate an intrusion before the attackers can move widely enough through a network to facilitate a major data breach. For the 2019 report, CrowdStrike analysts dove deeper into the threat graph data and calculated the breakout time for attributed incidents in order to determine just how quick major nation-state and criminal actors have become.
Russian nation-state actors, known colloquially as bears, have the fastest breakout times by an incredible margin. The report calls it ‘quite remarkable’ that these Russia-based threat actors are almost eight times as fast as their nearest competitors. While the Russian bears took an average of just 18 minutes and 49 seconds to start moving laterally into other network systems, the North Korean nation-state ‘chollimas’ took two hours and 20 minutes to breakout. To put this into even more context, Chinese ‘pandas’ were third fastest on four hours and 26 seconds followed by Iranian ‘kittens’ with a breakout time of five hours and nine minutes. Criminal gangs, as opposed to nation-state actors who tend to be far better resourced, took nine hours and 42 minutes.
Let’s not get too carried away by the speed factor here, it’s far from being the only indicator of sophistication and success when looking at threat actors. However, it does provide a very useful method of benchmarking the operational capability of various attackers who might come after your data. This is important as understanding how long it takes your organization to detect an intrusion, investigate that incident and then respond to it will determine how likely you are going to be in preventing attackers from successfully escalating an intrusion into a breach. This is known as the ’1-10-60′ rule: you should aim to detect an intrusion in no more than one minute, investigate it fully in less than ten minutes and remediate it in less than an hour. In that context it is clear that Russian bears are proving to be the most troublesome to defend your data against.
For the whole of 2018 and taking into account all intrusions analyzed by CrowdStrike encompassing all threat actor categories, the average breakout time was four hours and 37 minutes. This represents a substantial slowdown from the breakout average of one hour and 58 minutes recorded in 2017. Whether this can be attributed to more effective intrusion detection systems or a huge rise in the number of attacks from the slower-moving actors is hard to determine. It’s likely to be a combination of both factors, to be honest, and points to the speediest of nation-state adversaries still being highly focused when it comes to choosing their targets.
This isn’t great news in and of itself though, especially if your business happens to be in the telecom sector. The CrowdStrike report notes several trends that support state-sponsored campaigns aimed at telecommunications including direct attacks on telecom companies and the compromise of vulnerable telecom hardware. “Several suspected China-based actor groups were linked to telecom targeting” the report states, continuing “with some incidents demonstrating a specific interest in using telecom access or lures to enable operations against government sector targets in Asia.” The number of campaigns seen suggests, according to CrowdStrike, an increase in China-based cyber espionage operations on a larger scale.
One thing seems pretty certain, as the report itself concludes, and that’s targeted intrusion adversaries will continue conducting campaigns as part of their nation-state’s national, economic and political strategies. Both China and Russia will continue to use cyber capabilities to gain situational awareness of neighboring states and rivals further afield. The government, defense and NGO sectors will continue to be in the cross-hairs when it comes to these campaigns and targeting of upstream providers in both telecommunications and managed service provider sectors will provide support in these. Oh, and don’t expect the bears, chollimas, pandas or kittens to get any slower either so get working on tweaking your 1-10-60 compliance strategy…