Why should business leaders care how much time it takes to detect a breach? It’s a common misconception that a breach is a breach – whether you spot it on day one or weeks later. In actuality, the time it takes to detect a breach directly correlates to the damage done and the cost to your organization. In June 2015, the Ponemon Institute released its annual cost of a data breach study and for the first time pointed out the direct relationship between the time it takes to detect a breach and the cost of the data breach itself.
When it comes to the damage done, look no further than the Office of Personnel Management (OPM) data breach as an example. The breach, which wasn’t discovered for more than a year, led to waves of identity theft and numerous counts of identity switching by hackers, making them harder to find once the breach was discovered.
According to Exabeam, as an industry, our focus needs to shift from prevention to detection and response acceleration; there is no band-aid solution for keeping hackers out. The new age of security technology will focus on solutions that speed up, automate and ideally combine phases of the typical security process. By learning how hackers manipulate networks throughout phases of a breach, organizations can make the shift to a better security process.
Creating a Better Security Process
Click through for more on how hackers manipulate networks throughout phases of a breach and how organizations can make the shift to a better security process, as identified by Exabeam.
The Attack
Attackers are gaining more time between the initial malware attack and detection. Malware sandbox detection is not a new tactic on the part of malware authors, but it is becoming more commonplace. This tactic allows many varieties of malware to detect the presence of the malware sandbox system and evade detection. Also, online, cloud-based services are available for hackers who wish to test their malware against all the latest versions of antivirus software. In addition to making malware as stealthy as possible, stolen credentials allow hackers to act as legitimate users, making it even more difficult to find them.
Tip: Organizations can no longer focus on finding the single origin of a breach. With hackers’ ability to easily evade malware detection and switch identities once inside a network, it’s useless to monitor the endpoint. Instead of looking for the initial attack, security teams must focus on what happens once attackers are inside.
Detection
The Verizon Data Breach report and reports from Mandiant Consulting tell us that detecting an advanced attack takes approximately 200 days. However, victims of recent breaches report even longer detection times. Internal security teams are typically notified of a data breach by a source outside of their organization, such as a security researcher, business partner or government agency.
Tip: Detection is taking longer due to hackers’ ability to steal identities once they’re inside a network. Organizations need to monitor confidential information for any activity and pay special attention to logins from unfamiliar locations or unknown privileged users.
Analysis
Once the security team spots a breach, according to a report from Meritalk, analyzing it takes an estimated 50 to 90 hours. While this may seem like a short time in comparison to the detection stage, malware can alert attackers to security team activity and allow them to cover their tracks, create back doors or employ new tactics to stay inside a network. If the attacker can switch identities or create multiple accounts, the security team may not be able to piece together the entire list of hosts touched by the attacker.
Tip: It’s not enough to look for alerts related to certain users. Teams must also be able to piece together when hackers jump from machine to machine and when they create back doors and new credentials. Without these detection methods, the hacker’s trail can go cold.
Containment
Faulty or incomplete analysis means the attacker is not contained and the security team may end up playing whack-a-mole throughout the attack chain. Additional information may be stolen during this time or the attacker can move to a business partner to hunt for additional data.
Tip: To contain a hacker within a network, security teams must complete the analysis phase perfectly. Once it has identified all back doors and credentials used in the attack, an organization can shut down the affected systems.
Restoration
The restoration phase only occurs on systems known to have been touched by the attackers; if the containment phase is incomplete, hackers can easily stay within a network. Containment and restoration become a continuous and protracted process. Just when the team is about to declare victory, it receives information that additional systems need to be remediated, continuously siphoning off security team resources.
Tip: Unless an organization has full confidence that the containment stage has been successful, they should call for backup during the restoration stage. Many security teams bring in outside solutions or research teams to help bring machines and credentials back to life.
The Breach Aftermath
After going through the five phases of a data breach, organizations must inform their customers and employees about what happened and which steps the organization will take next. Telling the public who attacked your organization, how they did it, what was stolen and how you plan to solve the problem becomes infinitely easier when you have a complete road map of the attack.
