santiago silver - Fotolia
European firms take three times longer on average than the rest of the world to find cyber attackers in their systems, a report has revealed.
The average time to make a discovery in the past year was 469 days after the initial compromise, versus an average of 146 days globally, according to the latest M-Trends report by Mandiant, a FireEye company.
The report, based on investigations by Mandiant in the past year, reveals that attackers are able to steal an average of 2.6GB, potentially down to the fact they are able to infiltrate the network for so long, said the first M-Trends report for Europe, Middle-East and Africa.
According to Mandiant, the global average dwell time of 146 days – between compromise and detection – is influenced by data from the US, where the security maturity baseline is higher and proactive threat hunting is slowly becoming common in security operations centres (Socs) for advanced investigations.
“This region is still very much in the infancy of proactively hunting for cyber criminals in networks,” said Bill Hau, vice-president of Mandiant.
“Apart from a few leading-edge organisations, most are on the defensive architecture, tending to wait until they are attacked before taking action, while they need a more proactive approach to find malicious actors hiding in organisations’ IT environments,” he told Computer Weekly.
Organisations should aim to be able to find any attackers operating in their networks, said Hau, or at the very least know that they have been breached and what data the attackers have compromised.
The report notes that an average of 15 months’ dwell time provides ample time for any attacker to progress through the full attack lifecycle and achieve multiple goals within their mission objectives.
Read more about cyber attacker dwell time
- A key object of the Forcepoint Triton security platform is to minimise the time between compromise and remediation, known as “dwell time”.
- In striving to mitigate external threats and reduce dwell time, companies must invest in a holistic approach to security.
- The longer an infection dwells before discovery and remediation, the greater the odds of data exfiltration.
To put this into perspective, the report said Mandiant’s Red Team, on average, is able to obtain access to domain administrator credentials within three days of gaining initial access to an environment.
“Therefore, once domain administrator credentials are stolen, it is only a matter of time before an attacker is able to locate and gain access to the desired information,” the report said.
From a forensic investigation point of view, investigators must hunt for threat actors posing as an insider, the report said.
Mandiant observed that an attacker used an average of 37 user accounts and seven administrator-level accounts during a compromise.
“Determining which compromised credentials were utilised during any one attack is crucial to pulling the pieces of the puzzle together,” the report said.
According to the report, the findings show that existing security controls in organisations in the region are not up to the challenge of stopping or consistently detecting advanced threat actors.
Externally sourced threat detection
The report said businesses in the region also cannot rely on local government and law enforcement agencies for a notification of compromise, with only 12% of threats detected by an external source.
This is a stark contrast with global figures, where external sources accounted for 53% of detections.
While businesses in the region were able to discover breaches themselves 88% of the time, the report said the average dwell time of 469 days suggests this often came too late.
Threat actors are evolving their tools, technologies and procedures at a pace that is difficult for regional government agencies to keep up with. As such, organisations’ security strategies need to keep up with this evolving threat landscape, the report said.
However, this process does not need to be wholly internal, the report said, adding that it can be beneficial to partner with organisations that can offer experience and specialist advice to defend and react to threats.
“Agencies often lack visibility into what is actually going on, and those that do have the visibility do not have the mandate to notify organisations if they have been compromised because that is not what they are set up to do,” said Hau.
However, he said the new legislation in Europe, such as the General Data Protection Regulation (GDPR) and Network Information Security (NIS) directive, is likely to have a positive impact in this regard because both introduce breach notification requirements.
Needle in the haystack
Analysis of breach investigations in the region in the past year also revealed that many organisations were re-compromised within months of an initial breach.
Unsuitable techniques to hunt for attacks within an environment often resulted in a failure to understand the true scope of the incident, the report said.
Mandiant found many organisations in the region still opting for a traditional forensic methodology of analysing only a handful of machines that are obviously linked to a compromise, and subsequently increasing the risk of becoming re-compromised.
“Advanced threat actors usually do not go one machine at a time. They hit the whole network, so you have to look at everthing,” said Hau.
Of the 40,167 systems Mandiant investigated on average, only 40 systems on average were compromised. This reinforces the fact that investigators are truly looking for the needle in the haystack when trying to determine the timeline of a breach, the report said.
Mandiant advocates a comprehensive investigation using high fidelity intelligence and a rapid scalable methodology covering every system in the environment. This approach enables the organisation to fully understand the scope, paving the way for successful remediation and eradication of the threat actor from their network, the report said.
“It is clear that organisations in the region have a lot of room to improve their incident detection and response capabilities,” the report said.