Online attackers are becoming so good at hiding themselves that they can remain undetected in victims’ computers for months before being found, potentially giving these criminals more time to inflict greater damage than if they were detected earlier, according to cybersecurity research firm CrowdStrike.
Cyberattackers remained undetected for an average of 95 days before discovery last year, compared with an average of 85 days in 2018, CrowdStrike said in a report made public Monday.
The sharp increase in dwell time “is not a metric that we want to see go up,” Tom Etheridge, CrowdStrike vice president of services, told CQ Roll Call. Deploying so-called living-off-the-land techniques, “where an attacker can masquerade as a legitimate user in a client environment and remain stealthy provides an opportunity to get a full spectrum lay of the land” of the computer system, thus making their moves more impactful.
The increase in dwell time last year seen by CrowdStrike may have been partly because it took on a larger number of international clients with weaker technological means to find attackers than their American counterparts, Etheridge said.
To avoid detection, sophisticated nation-state attackers tend to operate with speed once they have broken into a victim’s computer. But criminals may move slowly, hoping to cause bigger disruptions and collect larger ransoms, CrowdStrike found in a report published in 2019.
Russian intelligence agency operators code-named Fancy Bear and Cozy Bear were eight times as fast as their nearest North Korean attackers, according to CrowdStrike. The Fancy Bear group has been linked to a large number of global attacks, including on the Democratic National Committee in 2016 as well as several Eastern European governments and militaries.
Criminals seeking to get higher ransoms could use their extra time inside a computer system to encrypt not only active data in use by a victim but backups as well, causing greater damage, Etheridge said.
Weakness in the supply chain
As large companies get better at finding and stopping attackers, cyber thieves are turning to smaller suppliers and software service providers for their targets, CrowdStrike found.
About 6 percent of incidents investigated by CrowdStrike in 2019 were the result of a compromise on a contractor or subcontractor to a larger company, the company said. Although these supply chain compromises are a small proportion of attacks, “third-party compromises have the potential to be more impactful or far-reaching than attacks originating” from other sources, the report said.
Third-party providers also include cloud service companies and internet service providers, and any compromises of their networks could allow attackers to penetrate many of the providers’ client computers as well, Etheridge said.
Lawmakers, intelligence agencies and the National Institute of Standards and Technology have been warning U.S. companies about supply chain cybersecurity risks for more than two years.
A variety of vendors, from janitors to software suppliers, with physical or virtual access to a company’s computer network could inflict damage, NIST has said. The agency has advised companies to undertake a variety of best practices, including better screening of their employees and of vendors’ cybersecurity routines.
The Office of the Director of National Intelligence also has prepared a series of presentations advising federal agencies and U.S. companies on cybersecurity risks posed by suppliers and vendors. The agency and others have also warned about the risks of software backdoors that would allow hackers and spies to gain access to networks.
In one example of widespread concern over far-flung networks of suppliers potentially undermining U.S. security, the top three makers of voting machines told lawmakers last week that many of their electronic components, including capacitors and chips, were sourced from China, but executives said they had no idea what proportion came from there.
Companies that engage in large mergers and acquisitions also are starting to examine the cybersecurity practices of their potential takeover targets, Etheridge said. Due diligence assessments are starting to examine the target company’s networks either before closing a deal or before the acquired company is integrated into the buyer’s computer networks, he said.
On a promising note, CrowdStrike found that last year nearly 8 out of 10 clients were able to find a breach or an intrusion on their own without first being alerted by law enforcement officials.
Self-detection is getting better because tools to find intrusions are getting more sophisticated, Etheridge said. The combination of artificial intelligence-enabled techniques and the hiring of cybersecurity research firms is likely boosting such early detection, he said.
Companies also are engaging in more “threat hunting” to identify whether their networks have been breached, Etheridge said. Combining crowdsourced attack data showing the tactics, techniques and procedures used by attackers, companies examine whether those same approaches have been deployed against their own networks.