FireEye CTO Sheds Light on a New Generation of Emboldened Attackers

While much of the attention around ransomware attacks has focused on the methods by which threat actors worm their way inside the network, one critical aspect of these attacks is often overlooked -attacker dwell time, which represents the length of time an interloper, remains undetected inside the network. According to the FireEye Mandiant M-Trends 2021 report, this median dwell time for APAC (including India) cyber attacks has increased from 54 days in 2019 to 76 days in 2020 – which in fact is a matter of concern.

Attacker Dwell Time

In an interaction with CXOToday, Steve Ledzian, Vice President and Chief Technology Officer, APAC – FireEye, says that adversaries continue to maintain access in compromised organizations in APAC for extensive periods of time. Consistent with observations in 2019, 10% of breaches investigated in APAC during 2020 showed dwell times of more than three years and 4% were greater than nine years.

On what contributed to these increased ransomware risk, Ledzian says, “There are largely four factors giving rise to greater levels of threats: 1. Large numbers of highly privileged accounts in Active Directory; 2. Highly privileged non-computer accounts configured with service principal names (SPNs); 3.    Security controls not configured to minimize the exposure and usage of privileged accounts across endpoints and 4. Attackers modifying Group Policy Objects (GPOs) for ransomware deployment

He mentions that the past year has been unique, as we witnessed an unprecedented combination of global events. Business operations shifted in response to the worldwide pandemic and threat actors continued to escalate the sophistication and aggressiveness of their attacks, while leveraging unexpected global events to their advantage.

As ransomware operators shift their objectives to a quality over quantity approach, so must the focus of security teams evolve from a mindset of keeping threat actors out at all costs to assuming they’re already inside.

When attackers are able to remain undetected inside a network they may spend weeks or months exploring trying to escalate privileges and leverage those permissions to push ransomware onto as many endpoint devices as possible. They can also use this time to identify critical network resources, such as system backups, network segments storing sensitive data, and other key systems that can be used to disseminate their ransomware widely.

On reducing attacker dwell time Ledzian believes security teams must re-think the existing security paradigm and take some immediate steps to limit its impact. For example, by enforcing a Zero trust framework that seeks to replace the conventional trust-but-verify model with a software-defined layer that can more easily enforce least-privilege access and micro-segmentation across the network. From the perspective of a ransomware attack, this will make it much more difficult for an attacker to hop across the network and escalate privileges

Regular penetration testing and threat hunting are also the hallmarks of a mature security practice, according to him.

Insider threats on the rise

The report also sees insider threats are on the rise. On this Ledzian mentions, “Insider threat events impact organizational reputation, customer trust and investor confidence. To properly mitigate the frequency and impact of insider threats, security conscious organizations must not only implement data loss prevention processes, but also deploy and establish dedicated staff, behavioral analytics and security information event management capabilities.”

“CISOs need to understand that protecting your organization against insider threats requires more than a data loss prevention solution. To ensure your organization possesses a mature security posture against insider threats, it’s critical to assess your existing environment and implement effective, continuous security program capabilities,” he says.

On what percentage of IT budget should be allocated to cybersecurity, Ledzian questions, “Organizations should first ask if they believe if cyber security is an IT problem or a business problem.  They should then ask if they are aligning their cyber security budget as a percentage of the IT budget or a percentage of a larger business budget.  Are the digital transformation initiatives constrained to a portion of the IT budget?  Most organizations are now saying they see cyber security as a business problem rather than an IT issue, but are they backing that up with appropriate budget allocations tied to the business and digital transformation initiatives?

Key takeaways for CIO/CISOs

In 2020 we saw the CIO/CISO’s job become more challenging than ever. According to Ledzian, “In 2020 organizations around the world struggled with adapting to the new norm and maintaining their defenses as attackers took advantage of these unprecedented times. Over the past year we were also reminded of the complexity and impact of supply chain attacks.  We’ve also seen ransomware evolve into multifaceted extortion.  We have seen these issues reach new and memorable levels of sophistication, proportion and impact.”

“The biggest takeaway for CIOs/CISOs is that security organizations need to continue to be prepared for ongoing escalations with threat actors and deal with changes to their own environment and ever growing attack surface,” he says.

According to the report, the top five most targeted industries in 2020 were business and professional services, retail and hospitality, financial, healthcare, and high technology. Over the past decade, business and professional services and financial have consistently placed in the top five most targeted industries.