The Clock is Ticking: The Urgency for Automation Amid Shrinking Attacker Breakout Time

Attackers are Becoming More Agile in Cyberattacks

Introduction

A new report by cybersecurity firm CrowdStrike has revealed that attackers are becoming more efficient and agile in their cyberattacks. The report shows that attackers have shortened the time it takes for them to transition from gaining initial access to a system to launching an attack on other devices within the same network. This rapid movement allows attackers to establish a presence in the network and continue their activities even if the original compromised system is quarantined by incident responders. The report also highlights the increasing use of interactive intrusions, the abuse of legitimate identities, and the focus on cloud environments by attackers.

The Changing Landscape of Cyberattacks

The average time it takes an attacker to move from gaining initial access to launching an attack on other systems on a network has decreased from 84 minutes in 2022 to 79 minutes in 2023. The fastest time recorded was only seven minutes. This reduction in what is known as “breakout time” demonstrates the increased agility of attackers and their ability to quickly leverage access to compromise other systems within a network.

Param Singh, the vice president of CrowdStrike’s OverWatch security service, highlights the attackers’ main goal of establishing a presence in the network. By doing so, even if the original compromised system is isolated, the attacker can still maintain access and continue their activities. Singh emphasizes that attackers often target legitimate user credentials, aiming to become the domain controller, which grants them access to all systems and assets within the network. However, if they fail to achieve this level of access, they focus on key individuals with better privileges to escalate their own privileges.

The Significance of Breakout Time and Dwell Time

Breakout time is one metric used to measure attackers’ agility in compromising corporate networks. Another metric is dwell time, which refers to the time it takes for the attacker to be detected after the initial compromise. According to a report by incident response firm Mandiant, dwell time hit a low of 16 days in 2022, indicating that most attackers have over two weeks of undiscovered access within a compromised network. These two metrics combined suggest that attackers are taking advantage of their initial compromise quickly and have substantial time to maneuver undetected.

Interactive Intrusions and the Abuse of Legitimate Identities

The CrowdStrike report reveals a significant shift towards interactive intrusions, which increased by 40% in the second quarter of 2023 compared to the same period in the previous year. Interactive intrusions involve the abuse of legitimate identities and account information. Attackers are increasingly targeting and collecting secret keys, credentials, and identity information. This includes harvesting Kerberos information from Windows systems for later cracking, a technique known as Kerberoasting. The abuse of legitimate identities allows attackers to go unnoticed for extended periods and mitigates the risk of detection by conventional anti-malware solutions.

The report also highlights instances where attackers scan repositories where companies inadvertently publish identity material. Vulnerabilities in cloud environments, such as a root account’s access key credentials accidentally pushed to GitHub, can be exploited within seconds by automated scanners and multiple threat actors. This suggests that attackers actively monitor services like GitHub for leaked cloud credentials, indicating the level of automation and sophistication employed by attackers.

Focus on Cloud Environments

As companies increasingly adopt cloud infrastructure for their operational needs, attackers have followed suit. Cloud exploitation nearly doubled in 2022, with a particular focus on Linux systems commonly found in cloud environments. Attackers often target misconfigurations in cloud environments and use on-premises compromise as a stepping stone to move into the cloud and cause significant damage.

Singh recognizes this trend and emphasizes that threat actors are becoming more “cloud aware,” understanding the unique aspects and vulnerabilities of cloud environments. CrowdStrike’s report indicates that an escalation tool called LinPEAS was used in three times more intrusions than any other abused tool. This highlights the attackers’ focus on and familiarity with the Linux workload prevalent in cloud environments.

Conclusion and Recommendations

The increasing agility and speed of attackers in compromising corporate networks pose significant risks to organizations. The decreased breakout time and longer dwell time indicate a critical need for proactive and effective cybersecurity measures.

Organizations must prioritize security practices that include regular vulnerability assessments, strong access controls, multi-factor authentication, and employee training on phishing and social engineering attacks. It is also crucial to update and patch systems promptly to mitigate vulnerabilities that attackers exploit. Additionally, organizations should implement robust monitoring and detection capabilities to identify and respond swiftly to potential compromises.

Given the increasing focus on cloud environments, companies must adopt cloud-specific security measures and follow best practices for securing cloud infrastructure. Ensuring properly configured access controls, encryption, separation of duties, and regular audits of cloud environments can help minimize the risk of unauthorized access.

Ultimately, organizations and security professionals must adopt a proactive mindset to stay ahead of evolving attacker techniques. Constant monitoring, threat hunting, and staying up to date with the latest security trends and technologies are essential steps in mitigating the risks posed by highly agile attackers.