19 Minutes to Escalation: Russian Hackers Move the Fastest
New data from CrowdStrikes incident investigations in 2018 uncover just how quickly nation-state hackers from Russia, North Korea, China, and Iran pivot from patient zero in a target organization.
It takes Russian nation-state hackers just shy of 19 minutes to spread beyond their initial victims in an organizations network - yet another sign of how brazen Russias nation-state hacking machine has become.
CrowdStrike gleaned this attack-escalation rate from some 30,0000-plus cyberattack incidents it investigated in 2018. North Korea followed Russia at a distant second, at around two hours and 20 minutes, to move laterally; followed by China, around four hours; and Iran, at around five hours and nine minutes.
This validated what weve seen and believed - that the Russians were better [at lateral movement], says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. We really werent sure how much better, and their rapid escalation rate came as a bit of a surprise, he says.
Cybercriminals overall are slowest at lateral movement, with an average of nine hours and 42 minutes to move from patient zero to another part of the victim organization. The overall average time for all attackers was more than four-and-a-half hours,
CrowdStrike found
.
Russias speedy infiltration of organizations versus other nation-states like China - which overall was the most active of all nation states in hacking in 2018 - reflects how Russias cyber operations have evolved dramatically over the past few years. Russia wasnt always so brazen: The shift became painfully obvious during the 2016 US presidential election with its aggressive doxing and hacking and other malicious online activity.
One of the definitive characteristics of Russia is that its willing to go fast and break things without caring about getting identified or outed, notes John Bambenek, director of cybersecurity research at ThreatStop. They behave in atypical ways for an intel agency [in cases]. They get a beachhead and keep moving.
Its often easier to attribute attacks to Russian hacking teams because they move so quickly and are more likely to make mistakes that out or catch them in their tracks, he says. Their mindset is to go fast and break things ... and they are still getting results, Bambenek says.
Even if they are outed, they rarely face consequences given the lack of an extradition agreement between the US and Russia.
Russia shifted from cagey to brazen around the fall of 2014, according to Kevin Mandia, CEO of FireEye, who explained the transformation
in an interview
with Dark Reading after the 2016 election. Suddenly, they [Russian state actors] didnt go away when we responded to their attacks, he said. Historically, Russian attackers would disappear as soon as they were rooted out by investigators: The Russian rules of engagement were when we started a new investigation, they evaporated [and] just went way.
Those days are long gone, experts say.
Jennifer Ayers, vice president of OverWatch and Security Response at CrowdStrike, says attackers overall are getting faster at infiltrating and invading their targets networks. Russias relative speediness, in part, has to do with its abuse of Web servers that, for example, havent been hardened, she says.
In many cases, they are using common malware and techniques like phishing email campaigns and BEC [business email compromise]. They are using Web servers on the Net that have not been hardened, so it lets them in a faster time move laterally from entry point to the next level, Ayers explains. Organizations, in turn, must lock down those weakest links and speed up their response rates, according to Ayers.
China
In contrast, China operates more slowly and deliberately, underscored by its more than four hours to get beyond its initial victim in a targeted organization. They do [the initial attack], step back, get more data, and plan their next steps, taking time, for example, to create kernel modules for specific machines, Threat Stops Bambenek says. That takes time.
China last year began reupping its hacking for economic and competitive gain after a temporary reprieve following the
2015 pact
between President Obama and China President Xi Jinping not to conduct cyber spying attacks for economic gain. China is back in economic espionage [attacks] - all of this is taking place across diverse industries, Alperovitch says.
China was technically the biggest story of 2018, he says.
So far in 2019, China continues to be most active nation-state in cyberattacks, notes Benjamin Read, senior manager for cyber espionage analysis at FireEye. While FireEye hasnt measured the lateral movement speeds of various nation-states in its investigations, he says, its logical that Russia would be the most efficient at escalation.
It makes sense with their being the most technical of adversaries, Read says. For now, Russian activity mainly is focused on European targets, he notes.
Russia, not surprisingly, is expected to ratchet up its targeting of the US in the run-up to the 2020 US presidential election.
Now What?
With the average dwell time of an attacker at six months, according to Verizons Data Breach Investigations Report (DBIR), just how can defenders apply this so-called breakout time of various nation-state actors?
CrowdStrike recommends applying those breakout times to benchmark the time it takes them to detect, investigate, and fix or remediate systems after an attack.
They also can tune their security tools and processes, notes Ayers, setting rules that take into consideration tight time frames. You can set the tools to determine in a matter of minutes whether to take action on a specific threat - blocking a hash if its a piece of malware, for example. The tools also can determine whether a threat should be escalated to the incident response team for a deeper investigation, or whether passwords should be reset, she notes.
Speeding up response is key, Bambenek notes. I care if they are marching through my infrastructure, but once they start stealing data, then I have a real problem, he says.
Meanwhile, CrowdStrike last year also spotted China, Iran, and Russia upping their targeting of telecommunications providers. Alperovitch says its all about control of the Internet: Just as previous wars fought over telegraph lines and radar and radio waves, this is the new battlefield - every nation wants to get an advantage, he says. Telecommunications targets hold so much valuable information.
Related Content:
Russian Cyberspies Leaked Hacks Could Herald New Normal
Nation-State Hackers Adopt Russian Maskirovka Strategy
Former Estonian Foreign Minister Urges Cooperation in Cyberattack Attribution, Policy
2019 Security Spending Outlook
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.
Tags:
19 Minutes to Escalation: Russian Hackers Move the Fastest