Those who’ve observed the cyber security industry for long enough know there’s a sliding scale to the severity of cyber crime. There are hacks on small companies, hacks on big companies, hacks that steal passwords and passports, and hacks that steal little more than a few profile pictures. There are hacks carried out by a nation state, and those carried out by conniving kids in their bedrooms. There are hacks that use malware, ransomware, and botnets. But worst of all are the hacks that last years.
In recent memory, both GoDaddy and News Corp were forced to admit hackers were roaming their IT estates for years.
Some might ask how organizations of this size, with robust IT teams, and huge spending on cyber security, might allow something like this to happen. How could hackers linger for so long?
What many don’t realize is that cyber security practitioners and security operations center (SOC) analysts triage a deluge of data every day, and connecting the dots between the faint signals passing through every second is a task that’s much, much easier said than done. Experts also say there are plenty of avoidable errors involved.
Breached for years: How hackers lay low
The first step for any cyber criminal looking to pull off a years’ long hack is find a way into a target’s network. Even when organizations make it difficult, there’s usually one entry point. Whether by using initial access brokers (IABs), exploiting vulnerabilities, or using employee credentials – the most effective of the three – they need to get in without tripping any alarms.
Understand how criminals operate and establish a clear roadmap for cyber security investigations and resolution.
DOWNLOAD FOR FREE
During the early days of a breach, hackers will do very little other than observe a business and how its people work. They’ll learn all the different processes that staff execute during a typical workday and use that knowledge to mask their movements around the network. There will be no intrusive actions (data exfiltration, vulnerability exploits, lateral movements) until they know how to blend in with everyday traffic being triaged by the organization’s security operations center (SOC) analyst.
Attackers usually indulge in one of two methods to remain undetected for extended periods of time. The first is when they use genuine compromised credentials and mimic that employee’s usual behavior – for example, accessing the same files and logging in and out from the same location and at the same time. This, experts tell us, is becoming increasingly more common through social engineering, email phishing attacks, and the use of IABs. It’s also highly difficult to detect because monitoring software won’t detect a change from the norm.
The other is used when an organization's monitoring tools aren’t configured well enough to detect intrusions of irregular account activity, with this lack of visibility meaning it’s hard to track a cyber criminal’s movements.
Sometimes it’s a mixture of both, but exerts speaking to ITPro agree that misconfigured security controls, or bad security practices, play a more significant role in long-lasting data breaches.
“I think, more often than not, it's a problem at the organization level and with the victims,” Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks tells ITPro.
“It's not to say that they're not trying hard to keep things safe… there are lots of different reasons why the goalposts are continually moving for these defenders and security teams. So, I don't blame many of them for the problems that some have encountered, but I think it's less about the sophisticated actors, and more about the general lack of security that causes the problems.”
Breached for years: The key facilitators
The average duration of a data breach, according to IBM’s Cost of a Data Breach report, was 277 days: 204 days to detect the breach and a further 73 days to contain it. The total cost of a data breach, meanwhile, was $4.45 million.
Credential theft is the most common factor in facilitating a data breach and one of the most difficult types of intrusion to detect, especially if attackers are blending in with normal traffic for that account. Regardless, common organizational failures in setting up and maintaining the security stack often lead to threats going unnoticed.
“From a technological side of things, in terms of the systems in play, there is a lack of what we kind of call a sort of comprehensive and consolidated architecture in an organization,” says Muhammad Yahya Patel, global cyber security evangelist, office of the CTO, at Check Point Software.
Patel adds, too often, teams are left struggling to manage a huge selection of tools, few of which interoperate. Couple this with short-staffed security teams, of which some members may have only been trained on a fraction of the products in use, invariably the situation will lead to serious issues.
When you don’t have the right people to manage everything, misconfigurations can occur and alerts can be missed or triaged incorrectly. Spending the time to configure the product properly right at the initial implementation phase can save lots of headaches and missed detections down the line.
Some organizations are consolidating tools with different security capabilities into one management platform. They’re combining this with automating the process of sifting through network traffic and alerting SOC analysts to suspicious events. These two changes are making security personnel more effective and their lives much easier.
“I think automation plays a part,” says Hinchcliffe. “In my experience, in many cases, it would be quite easy for signals to be lost in the noise, and if a couple are missed that’s potentially all that needs to happen for an attacker to get a foothold.”
But it’s not all down to tools not doing their jobs; the human element still plays a big role. Skills shortages leave teams stretched and without the time needed to learn how to set up a product correctly, for example, or properly understand how to triage a specific alert. Delivering cyber security training to staff also gets overlooked, which then snowballs into an increase in phishing incidents and, well, you know the rest.
Ultimately, the human element can often be boiled down to organization-level failings. Products work in silos and often so do other teams. It’s all too common a problem and it’s why the average time to remediate a breach is nigh on a year. That breaches are likely to happen is an accepted reality of the cyber security landscape. Although attackers have the advantage, experts say, organizations must implement cyber security best practices without excuse. When we encounter breaches lasting years on end, questions must then be asked of the victim and the state of their systems and processes.
Breached for years: The patching predicament
Nailing ‘the basics’ – multi-factor authentication (MFA), least privilege, zero trust, and early detection – has been at the heart of maintaining a robust security posture. But the priority should be patching vulnerabilities as soon as possible.
That said, as vulnerabilities soar every year, so does the complexity involved in deploying patches across an organization. With myriad products from different vendors in an IT environment, patching can be easier said than done, especially when they can sometimes do more harm than good.
Installing every single software update as soon as it’s ready is not realistic, Hinchcliffe says. It’s a divergence from the longstanding advice from industry and cyber security authorities, which is to commit to an approximate 14-day patch window for internet-facing devices.
“I think the days of trying to patch everything have kind of gone because it's just so vast, and often so complex to do it,” he says. “I don't think it's doable.”
Organizations should, instead, prioritize patches most pertinent to their environments, he continues. Using threat intelligence combined with news reports of the most dangerous vulnerabilities is a good starting point for gleaning your organization’s exposure.
“ A lot of security vendors used to just blame people for not patching and say that you should patch everything,” he continues, “but actually, I think it's unreasonable to think that some large organizations can patch everything.
“So if you have something which is internet-facing and it's getting scanned probably every day, and maybe automated systems are trying to exploit it with known exploits, there should be some extra visibility or security around that system.”
There are countless methods attackers can use to breach companies and not all scrutiny should be directed toward a breached organization. But, the time taken to discover the breach is crucial. The longer it takes, the more it suggests something went very, very wrong with an organization’s security setup and that the CISO has a lot to answer for.
Yes, there are challenges with resources and the complexity of managing a modern security stack is difficult, but experts agree that no sympathy should be shed in cases like GoDaddy’s. When organizations are breached for years, no matter how sophisticated the threat actor, it means the security setup is in dire need of a radical overhaul.
