Maksim Kabakou - Fotolia
Security Think Tank: Five tips for killing the campers on your network
Why is reducing cyber attacker dwell time important and how should this be tackled?
In cyber space, an enterprise represents a treasure trove of opportunity for cyber criminals. Attacking “from a distance”, a cyber criminal might attempt to cripple a company’s website by bombarding it with distributed denial of service (DDoS) attacks, or hold some of its information ransom by delivering malware-laden phishing emails to its employees.
However, it’s the cyber criminals “hiding within” the enterprise that can present the greatest threat.
A cyber criminal that has infiltrated a company network can monitor its systems traffic, observe regular activity and identify security weaknesses to build a digital picture of the organisation. The longer an attacker spends on the network, the easier it is for them to use this information to launch attacks from within, compromise systems and locate critical data to destroy or steal.
Given time, attackers can also build profiles of employees by monitoring how they communicate with their regular correspondence. Known as signals intelligence, it enables attackers to see how busy networks are at particular times and map the frequency of communication between specific individuals to identify privileged accounts which could lead to a “golden ticket”.
These Kerberos tickets provide unlimited access as a domain administrator, giving attackers scope for more damaging and widespread attacks.
A highly skilled attacker will know how to get onto the network without being spotted and “lay low” until they have secured enough information to make an attack. The trick is to then identify the breach and eliminate the attacker as quickly as possible.
Worryingly, however, the average attacker dwell time in EMEA has grown. According to the latest M-Trends report by security firm FireEye, in 2017, the time taken by firms to detect breaches had increased by 40% since 2016 to an average of 175 days. Below, I’ve listed five tips for reducing attacker dwell time on your organisation’s network.
1. Know your network
Having an understanding of your network is the first step in being able to spot any unusual activity on it.
Getting to grips with the daily activity, for example, the frequency of communication and which files are accessed most regularly will enable you to build a working picture of your organisation’s digital landscape. With this, you’re in a better position to spot something that shouldn’t be happening.
2. Guard your most critical accounts
Privileged users have authority to access critical systems and data that general users wouldn’t have access to.
Read more about reducing attacker dwell time
- Reduce attacker dwell time with defence in depth.
- GDPR compliance one good reason to cut attacker dwell time.
- Containment should be top priority in cyber breaches.
Because of the power they offer, it’s these accounts that cyber criminals will hunt down once they’re inside a network. Tracking your privileged user accounts and monitoring their activity, for example, looking for any activity that takes place outside of working hours, will help reveal an attacker inside the network.
3. Do your homework
Systems logs provide a paper trail of activity that can leave clues to anything suspect on a network. Reviewing logs involves creating a baseline of activity about the events that have occurred over the last 30 days, and comparing any future activity against this baseline.
Introducing this process will enable you to detect and respond to security incidents faster and more efficiently.
4. Play the investigator
Expert attackers will give away few telltale signs to their presence on a network and the kind of “low and slow” types of attacks they favour may not display a pattern that can be spotted by tools or humans.
To identify an intruder, you’ll therefore need to watch the traffic patterns between key business applications and investigate firewall requests and critical data accesses.
5. Educate your staff
Education should underpin the cyber security practices in every organisation. In our whitepaper, What every business leader should know about cyber risk, we outline why IT and Security leaders should challenge business leaders to communicate their aspirations for how systems will be used by employees, so everyone can gauge potential risks. Introducing this kind of education and training means staff can then become your “eyes and ears” on the ground.
With staff reporting unusual activity or behaviour, they will not only help you spot attackers in your network quicker, but will develop a culture of increased security awareness in your organisation.