Security Think Tank: More time equals more opportunity for cyber attackers

The time taken by firms to detect breaches increased 40% to 175 days on average in 2017 compared with 2016, according to FireEye.

In extreme cases, this dwell time can be even longer. For instance, the GhostNet organised crime group successfully targeted government organisations in 103 countries over a two-year period, remaining undetected within networks for up to 660 days. While no one would disagree that we want attackers removed from systems sooner rather than later, what are the implications of long dwell times?

First, the longer attackers have access to an environment, the more they can learn about it. In one day, are they likely to discover which servers on a corporate network host trading or payment applications? Or HR or customer databases? How about when they have six months?

That time can be spent discovering every device on the network – from monitoring traffic to learn how to avoid intrusion detection systems, picking up password hashes and authentication tokens, and passively gaining tools and information to aid in the attack.

They may be able to identify which routes out of the network have the weakest protection, and conversely, which areas have very strong controls, implying they may be of additional interest to the attacker.

They will, given enough time, identify exactly which data exists on the network, which data they are interested in, how to exfiltrate that data, and crucially, how to cover their tracks and complete the intrusion. On completing the intrusion, they may do so by causing damage or quietly exiting undetected, possibly leaving a back door to gain access at a later date if required.

Second, the attack itself has a greater chance of succeeding if actions can be taken slowly. Many firewalls and intrusion detection systems use forms of statistical analysis to alert – this is often around a sudden spike or change in traffic flow.

Given enough time, a criminal siphoning data can slow the attack down to a level where it may look like normal network traffic noise, rather than attempt to send out gigabytes of data from a database, for example.

New data can also be gained over time, such as new oil well exploration or pharmaceutical research. If this arrives in an already compromised database, the attacker is positioned, ready and waiting, and only needs to exfiltrate it.

Third, a rushed attack can often be rolled back to a previous backup without too much trouble or data loss. If exploitation of a database occurs today and is discovered, restoring the database leaves only a short batch of transactions that may need to be updated, once the route in has been strengthened.

As a result, the business impact is low. Conversely, an attack that takes place over many months may mean long periods of compromised backups, requiring extensive manual work to rebuild from the last known successful backup. In extreme cases, reliance on these backups may not be possible as tapes deteriorate or are reused/recycled.

And finally, understanding how an attack took place is key to strengthening defensive controls. A “noisy” attack, which alerts intrusion detection systems, will leave a trail through logs on firewalls and servers, so the vulnerability exploited can be easily identified and rectified.

A stealthy attack that goes unnoticed can be impossible to analyse a year later, as even if the initial intrusion could be analysed to a specific point in time, logs may have been rotated out.