Russian Hackers Go From Foothold to Full-On Breach in 19 Minutes
Credit to Author: Andy Greenberg| Date: Tue, 19 Feb 2019 10:00:00 +0000
In the handwringing post mortem after a hacker breach, the first point of intrusion usually takes the focus: The phishing email that Clinton campaign manager John Podesta's aide accidentally flagged as legit, or the Apache Struts vulnerability that let hackers get access to an Equifax server. But Dmitri Alperovitch, chief technology officer of security firm Crowdstrike, argues that the crucial moment isn't necessarily the initial penetration, but how quickly intruders can move from that beachhead to expand their control. And no one, Alperovitch has found, does it faster than the Russians.
In its annual global threat report, released Tuesday, Crowdstrike introduced a new metric of hacker sophistication: what the firm calls "breakout" speed. Analyzing more than 30,000 attempted breaches in 2018 the company says it detected across its customer base, Crowdstrike measured the time from hackers' initial moment of intrusion to when they began to expand their access, jumping to other machines or escalating their privileges within a victim network to gain more visibility and control. They compared those times among state-sponsored hackers from four different countries, as well as non-state cybercriminals. Their results suggest that Russia's hackers were far and away the fastest, expanding their access on average just 18 minutes and 49 seconds from their initial foothold.
Those numbers also hint at just how quickly defenders need to move to stop a breach in progress, particularly if they might pose a tempting target for the Kremlin's agents.
"Russia is really the best adversary," says Alperovitch, whose staff has closely tracked Russian operations for years, including revealing the presence of two Kremlin-sponsored intrusions into the Democratic National Committee network in 2016. "We’ve engaged with them on investigations, discovering and combatting them, and this breakout time is a real proxy for how good they are. It really captures that operational tempo… they're just incredibly fast, almost eight times as fast as the next adversary."
"Tools, zero-days, sophisticated malware tells you something, but not the full story."
Dmitri Alperovitch, Crowdstrike
In Crowdstrike's ranking, North Korea's hackers came next, averaging about two hours longer than the Russians to expand beyond an initial compromised machine. Chinese hackers took about four hours, Iranian hackers took more than five, and profit-focused cybercriminal hackers took nearly 10 hours on average to escalate their privileges or spread their infections across other parts of a victim network. (Alperovitch admits that Crowdstrike's data set doesn't include targets of hacking by the US, the UK, or the other English-speaking countries known as the Five Eyes. "I would expect they'd be at the top of the list," Alperovitch says.)
In an era when intelligence agencies and militaries can buy malicious software and vulnerabilities from myriad private firms, Alperovitch argues that the breakout times Crowdstrike has measured might represent the closest thing to a real test of operational sophistication. Nation-state hackers aren't as likely to outsource the actual hands-on-the-keyboard aspect of hacking as they are to buy research and software development. "Tools, zero-days, sophisticated malware tells you something, but not the full story," says Alperovitch. "It just means they have a lot of money."
He points to one example where it took the team of hackers known as Cozy Bear, or APT29, only 10 minutes to gain domain admin privileges—essentially full control over the network—from the moment a target clicked a phishing link. "They’re not there sipping coffee, thinking 'let me figure out what I want to do today,'" Alperovitch says. "They have a victim, they jump on it as quickly as possible, and really execute their mission before they get detected."
Breakout speed is far from the only way to measure the dangers hackers pose, points out Ben Read, a manager of cyberespionage analysis at security firm FireEye, a Crowdstrike competitor. He argues that some hacker groups may cast a wider net than others, and only prioritize acting on some of the victims that fall into it. "Speed is an interesting datapoint, but it’s not a perfect stand-in for sophistication," Read says. "They may have sent 10,000 phishing emails but they only really care about five targets, and if you’re one of them they’re going to move quickly. But if you’re an HR person at a boring think tank, they’ll get to you in a few hours."
But Crowdstrike's numbers still offer a sense of how quickly hackers move on average, and how vigilant network operators need to be if they hope to catch and contain intrusions. The company actually found that the overall average breakout time for all the incidents they observed in 2018, four hours and 37 minutes, was significantly longer than in 2017, when it was just under two hours, due in part to a higher volume of slower moving adversaries. But even four or five hours represents a disturbingly narrow window for detecting and acting on an intrusion that could represent the difference between a single infected user and a deeply compromised network.
"Defenders have to be on call," Alperovitch says. "This is an indication of not just how rapidly they move, but how quickly you have to move as a defender to eject them."