In the realm of cyber security, the severity of attacks can vary greatly. From small-scale hacks to major breaches, cyber criminals employ various methods to infiltrate organizations and steal valuable data. However, the most alarming type of attack is one that lingers undetected for years.
Recent incidents involving major organizations such as GoDaddy and News Corp have shed light on the deeply entrenched issues that allow long-term breaches to occur. It begs the question – how can organizations with robust IT teams and substantial investments in cyber security allow hackers to persist for such extended periods?
What many fail to realize is that cyber security practitioners and security operations center (SOC) analysts face an overwhelming amount of data each day, making it a daunting task to connect the dots and identify potential threats. Furthermore, there are often avoidable errors that contribute to these long-lasting breaches.
UNDERSTANDING HOW HACKERS REMAIN UNDETECTED
The first step for a cyber criminal planning a long-term breach is to find a way into the target’s network. Even with strong security measures in place, there is usually at least one entry point. Whether through initial access brokers (IABs), exploiting vulnerabilities, or using employee credentials – the most effective method – hackers must gain access without triggering any alarms.
During the initial stages of a breach, hackers will simply observe the target organization and its employees. They learn the daily routines and processes, using this knowledge to camouflage their movements within the network. They avoid any actions that may raise suspicions until they can seamlessly blend in with the normal traffic monitored by the organization’s SOC analyst.
To remain undetected, attackers often employ one of two methods. The first involves using compromised credentials to mimic an employee’s usual behavior, such as accessing the same files and logging in and out from the same location and time. This method is increasingly common due to social engineering, email phishing attacks, and the use of IABs. It is incredibly difficult to detect as monitoring software does not identify deviations from the norm.
The second method relies on organizations having monitoring tools that are not adequately configured to detect irregular account activity. This lack of visibility makes it challenging to track a cyber criminal’s movements.
In many cases, a combination of both methods is employed. However, experts agree that misconfigured security controls and poor security practices play a substantial role in enabling long-lasting data breaches.
IDENTIFYING THE KEY FACILITATORS
According to IBM’s Cost of a Data Breach report, the average duration of a breach is 277 days, with 204 days needed to detect the breach and an additional 73 days to contain it. The total cost of a data breach is estimated to be $4.45 million.
Credential theft is a common factor in facilitating breaches and is particularly difficult to detect when hackers blend in with normal account traffic. However, organizational failures in setting up and maintaining a robust security stack often contribute to threats going unnoticed.
A lack of comprehensive and consolidated architecture within organizations, coupled with an overwhelming number of security tools that do not effectively work together, poses significant challenges. Short-staffed security teams with limited knowledge of the products in use further exacerbate these issues.
Properly configuring security products during implementation can save time, prevent misconfigurations, and ensure that alerts are not missed or triaged incorrectly. Some organizations are consolidating tools with different security capabilities into one management platform, while also automating the process of analyzing network traffic and alerting SOC analysts to suspicious events. These changes have made security personnel more effective and streamlined their workflows.
However, the human factor remains crucial. Skills shortages and a lack of training contribute to stretched teams who may not have the resources or knowledge to set up products correctly or handle specific alerts. Delivering comprehensive cyber security training to staff is often overlooked, leading to an increase in phishing incidents and further security breaches.
Ultimately, organizational-level shortcomings contribute significantly to the persistence of breaches. Siloed products and teams are all too common, resulting in a lengthy average time to remediate a breach. While breaches may be inevitable in today’s cyber security landscape, organizations must prioritize implementing best practices without excuse. When breaches continue for years, it is necessary to scrutinize the victim’s systems and processes to address and rectify these shortcomings.