The biggest sea change in private enterprise cybersecurity trends in recent years has been an increasing need to account for state-sponsored hackers. These tend to be the best and brightest in the world; at the least they’re the best-funded and best-equipped. And they’ve shown willingness to target even SMEs on a regular basis; for example, as a means of illicit funding (see North Korea) or as a means of conducting psy-ops and disinformation campaigns (see Russia). All of this means that even SMEs need to have a cyber response capable of keeping up with these advanced threat actors.
Leading cybersecurity firm CrowdStrike released an annual report chronicling breach attempts in the previous year, and the 2019 Global Threat Report is the first to rank the world’s top cyber adversary categories. One of the main determiners of this ranking is the time each group takes on average to gain illicit access to a target’s network (“breakout time”).
The short version is that these groups on average need only a few hours to penetrate a network, and the fastest of them tend to do it in under 20 minutes.
The fastest hackers in the world
According to CrowdStrike, the average breakout time for each group is as follows:
- Russia: About 19 minutes
- North Korea: About 2.3 hours
- China: About four hours
- Iran: About five hours
- Independent cyber criminals: About 9.5 hours
Overall average breakout time: 4 hours and 37 minutes.
The study notes that though independent criminals are usually significantly slower than nation-state actors, the very best of them are at least on par with North Korea and China’s cyber espionage operations in terms of breakout time.
Russia clearly stands head and shoulders above the rest of the world in state-sponsored hacking prowess, with an average breakout time of under 20 minutes – eight times as fast as the next best group. Since Russia’s central focus is geopolitics and destabilization of its nation-state adversaries (“big game hunting”), most SMEs (and even enterprise-scale businesses) don’t have much of a reason to believe they’ll draw the special attention of the “big bears” of the hacking world.
North Korean hackers are second on the list, however, and the reclusive country has been known to engage in large-scale petty criminality (sometimes not so petty) for profit.
Regardless of an individual organization’s risk level, this study provides some concrete goalposts in terms of cyber response time. No matter the source, it’s realistic to expect any capable and determined attacker to have gained access to a network within a matter of hours.
Exfiltration and cyber response time
These numbers certainly appear frightening at first look, and might initially seem like an insurmountable challenge. However, it’s important to keep in mind that breakout speed in this context represents the first escalation of access privileges – not necessarily complete control of a network, or even access to sensitive data.
To frame it with a real-world example, the breakout time would be the point at which a hacker moves from their phishing email target’s account to some broader level of access to the system – whatever it might be. This pace is in keeping with numerous other cybersecurity studies, which have tended to find that compromised sensitive data is mostly exfiltrated over a period of days following the initial breach.
In an ideal world, IT departments would be able to instantly detect and lock down an intrusion within minutes. In reality, that’s expecting far too much for most organizations. CrowdStrike CEO Dmitri Alperovitch advocates the “1-10-60” standard, or a full investigation within 10 minutes followed by complete removal of the ecrime actors within 60 minutes. While this sort of standard may be necessary for extremely high value and nation-state targets locked in a hacking “arms race” against each other, it’s probably going to be beyond the reach of the average company just looking to avoid theft and damage.
However, a cyber response plan that stops breaches within 8 to 12 hours is definitely a realistic minimum goal for any company of any size. This type of response time usually keeps unauthorized data access minimal and to non-critical areas, and prevents the sort of massive data leaks that cost companies millions of dollars. This response time will also keep standard adversary groups from moving beyond their point of entry in any significant way.
Staying on the pace
CrowdStrike’s 1-10-60 incident response standard would be fantastic in an ideal world; it might just about put an end to cyber crime if everyone could implement it.
However, it’s important to remember that they’re also selling a related security product. A 2018 study by Mandiant reveals that the majority of companies are way off that mark. The average containment time in 2017 was five days for network intrusions. However, that is the containment time after detection. The average time to detection was a staggering 66 days.
Clearly, there is a lot of room for companies to improve their cyber response times across the board. However, most companies also do not have to worry about meeting the impossible standard of detecting and stopping the best hackers in the world within an hour. The standard cyber criminal breakout time is a more realistic benchmark to curtail, and one that is achievable primarily through proper preparation.
Lack of an established plan that is disseminated throughout the organization is usually the main thing that trips up victims of cyber attacks. And when a plan is in place, it’s usually a lack of training and communication of individual responsibilities to all involved parties that ends up severely delaying the containment and cleanup.
In an ideal situation, a company would have a dedicated cyber response team to respond to any incidents. This team immediately evaluates the status of the current threat, and works from a well-established plan to take appropriate action based on the nature and status of the attack (usually divided into clear response protocols for high, medium and low incident severity). Incident responders have a high degree of threat intelligence and know precisely what to do in advance.
The cyber response strategy sprawls out to encompass many other aspects, including replacement of hardware / software and public relations after the fact. The most critical part is identification and containment, however. A third-party retainer that specializes in security and cyber response may make the most sense in handling this aspect, particularly if the company has little to nothing in terms of dedicated full-time IT staff.