One of the many tasks data breach investigators assume is determining how long a bad actor has been occupying a network. They determine how much information was taken, what specifically could have been accessed and over what time period.
For about 50 percent of breaches, the time between initial compromise and detection—known as dwell time – is less than 24 hours. But sometimes, hackers can dwell for weeks, months or even years within a network.
This is made possible in part by a widespread data surplus. The more data, the more places for attackers to hide. Hackers are able to enter a network while IT and security teams are preoccupied with false positives, usually through less monitored vectors like an unprotected cloud server, shared desktop or connected smart device. Once they’ve entered, they jump laterally to access data spread through the organization. Traditional approaches to security analysis require manually prioritizing and sifting through endless data logs to locate these potential leaks, which can waste precious time.
Even when internal or external adversaries are caught within a few weeks, that’s already far too long for them to be lurking on the network. We’ve seen time and time again that the monetary cost hits hard, but the reputational damage could hit even harder.
One of the reasons the Equifax breach stunned many people was the fact that the security vulnerability exploited by the attackers was left open for 78 days. Equifax admitted to knowing about the vulnerability for months before data was ever stolen, however they cited misreporting in their vulnerability scans as to why the affected system was not remediated in a timely manner. The company reached a settlement with the Federal Trade Commission (FTC) in 2019 that included $300 million to a victim fund and $100 million in fines to the Consumer Financial Protection Bureau (CFPB). The FTC created an online resource where affected individuals could file a claim against Equifax, and its stocks dropped 13 percent the day after the breach was made public. Needless to say, it will be a while until Equifax bounces back both financially and with its scored customers.
In a similar situation last week, the UK’s Information Commissioner’s Office (ICO) announced it will fine Hong Kong airline Cathay Pacific £500,000 for a breach that happened in 2018 that claimed the personal information of 9.4 million passengers. Under the current GDPR mandates, companies are required to report a notifiable data breach within 72 hours, yet the airline admitted it took them six months to investigate and then notify the ICO. The investigation uncovered some rather shocking truths, firstly that the earliest known date of unauthorised access to Cathay Pacific’s network was October 2014. The suspected method of access was via exploiting a publicized vulnerability, which had been classified as low complexity – meaning little skill was required to exploit it, and the fix was readily available. Having then dropped credential harvesting malware onto a system, the attackers were presented with an almost perfect storm – an open door, an unencrypted database, and unsupported operating systems. This provided ideal conditions for them to collect credentials, and move laterally throughout the organization until March 22, 2018 when the bad actor was removed. This means that whoever breached Cathay Pacific’s systems could have had almost four years of unauthorized and undiscovered access to the company’s data, including passengers’ personal details.
According to FireEye’s M-Trends 2020 report, the median dwell time in APAC is 94 days, which is a considerable improvement from 498 days two years ago. While global median dwell times are shortening, repeat attacks are on the rise, with Mandiant reporting 31 percent of organizations seeing a second incident within 12 months of the first. These figures demonstrate that, while organizations are making progress, far more emphasis on time-to-detection is required.
The sooner teams can detect breaches, the more chance they have of minimizing both the financial and reputational impact. Airlines and other organizations in the aviation industry experience huge surges in activity during the peak holiday season, and this can leave security teams overwhelmed with alerts and prone to missing key pieces of early insight into an attack.
Deploying advanced behavior analytics is a much faster way for IT to locate anomalous and suspicious behavior. Since behavior analytics use pre-existing security incident timelines, they already know the full scope and context of related event details. Analysts no longer have to comb through massive amounts of raw logs to manually create a timeline as part of an investigation. This has the potential to significantly reduce attacker dwell time and can identify a breach before unauthorized access to data occurs.
Especially under new mandates such as the GDPR, organizations simply cannot afford to allow hackers to dwell within their networks for long periods of time. The best way to cut down on dwell time is to deploy advanced behavioral analysis to make it easier – rather, possible – for teams to weed through false positives and data logs to pinpoint and prioritize real threats and risky behaviors to an organization and act quickly.