Search:
IKANOW-Generic-H2000ii
Apr 28 2016

RANSOMWARE, RECONNAISSANCE AND THE PROBLEM OF DWELL TIME

Ransomware has certainly captured the attention of the media and hospitals across the Ransomware-attacks-increase-768x542country.  The poster child of this trend is Hollywood Presbyterian Medical Center (HPMC) in Los Angeles. Earlier this year, HPMC was the victim of a Ransomware attack and paid $17,000 to get the key and access their files again. More recently, the 10-hospital Medstar system in the Washington, DC area was attacked and asked for 45 bitcoins (about $18,500), although the hospital claims to have restored its data without paying the ransom.

In between these attacks, three other hospitals were also victims. Methodist Hospital in Henderson, Kentucky reportedly paid a $17,000 ransom in early March and Prime Healthcare Management hospitals in Chino and Victorville, California were targeted by the same ransomware as HPMC, but restored its systems without payment. Ars Technica summed up the situation this way:

The HPMC ransomware attack appears to be part of a trend of increasingly targeted ransomware attacks against businesses and larger institutions. These are likely carried out by cybercriminals who have managed to gain access to the organizations’ networks through other malware to conduct reconnaissance. 

When ransomware was a phishing attack that locked up data on a single PC, there was little space between the exploit and the asset compromise. However, we are now seeing large organizations held hostage and increasingly in some cases network exploits were the attack vector. This means that there was reconnaissance at some point between exploit and distribution of the ransomware. That dwell time could be the difference between catching an attack before or after the ransomware payload is delivered.

 

THE PROBLEM WITH DWELL TIME

We recently reviewed the Mandiant finding that breach dwell time in 2015 fell 29% to 146 days compared to over 200 days in 2014. That is indeed good news, but hardly comforting to find out that attackers have an average of 21-weeks to recon, exploit and breach a network. Even worse, 53% of the data points showed 320-day average dwell times.

Verizon data from its annual Data Breach Investigations Report has a different take on this, but a similar conclusion. In 2015, it found that time to compromise was days or less in nearly 100% of all breaches. However, discovery by the good guys in days or less happened only about one-fourth as often.

breach-time-to-compromise-to-discovery-less-days

In addition, minutes or days were typically all the attackers needed to complete exfiltration of sensitive company data according to Verizon. About 82% of the time, the compromise was completed in just minutes, and here is the kicker, 98% of the time exfiltration occurred within days. The goal cannot just be detection, it must be oriented toward speed of detection and investigation.

The fact is that there are many time-to-compromise-and-exfiltration-comparison
ways into a network. Despite the rise in advanced endpoint protection, nexgen firewalls, SIEM and user behavior analysis (UBA), attackers are still eluding detection for many months. The attackers are doing this by avoiding known detection traps built into legacy cybersecurity software and covering up their footprints. This offers them time to find valuable assets to exfiltrate or install ransomware payload across a vast number of endpoints. Prevention is important, but there is a need to reduce the timeline of three phases that can help you better protect your information security assets:

  1. The time between compromise and detection
  2. The time between detection and confirmation
  3. The time between confirmation and remediation

Many people don’t realize there are three cycles going on here. All three of them add up to dwell time when an attacker has a free hand to operate in your environment. Of course, the sooner you can identify the compromise the faster you can start the confirmation and remediation processes. However, the organization is not protected until all three are complete. The question for the enterprise is how well are your tools and processes helping you in these three detection and response phases.

WHEN A BREACH IS NOT A BREACH

Ransomware complicates this further because there is no exfiltration, therefore no actual breach. The outcome here is disruption of normal operations and the potential for data destruction. Data exfiltration is one indicator that many people are turning to for faster breach detection. Most existing tools fall short on this measure today. When it comes to ransomware, they miss that exploit entirely because they aren’t looking for it and don’t know how to start identifying this type of exploit objective.

THE ANSWERS CAN BE FOUND IN THE DATA

This is where information security analytics comes into play. When you are sifting through all of your internal data traffic, asset activity and comparing it to threat intelligence, you can start to recognize patterns that are early indicators of a compromise in process. But this requires more than just parsing logs and looking for signatures on your endpoints. You need to look at data in relation to threat intelligence, in relation to asset groups, and also consider Netflow and PCAP. All of this provides the context required to detect compromises faster and move through the analysis and confirmation process faster to get to remediation.

Ikanow-ISA-Workspace-Dashboard

IKANOW announced our Information Security Analytics version 1.5 release last week. It addresses these three phases directly: detection, confirmation, remediation. In particular, the ability to identify anomalies based on asset group risk scores correlated to indicators of compromise (IOC) helped one customer identify three active incidents with a few minutes of installing the solution.

From there, tools such as correlated search helped analysts more quickly contextualize the incident and determine whether there was a breach or an active attack underway. Another IKANOW user claims that tools such as correlated search can make its analysts 50% more productive. If that means 50% faster to initiate remediation steps, it could be the difference between a ransomware payload being downloaded or prevented.

WHY CAN’T I RELY ON MY SIEM AND ENDPOINT TOOLS TO DO THIS?

SIEM, endpoint protection and other tools have an important role to play in information security. However, neither is optimized for analyzing large volumes of internal and external data nor are they tooled to analyze data flows in real-time. Both are designed to capture asset activity and status. Those are valuable inputs into analysis, but no longer sufficient to identify the tiny footprints left by sophisticated attackers. The new formula for information security involves using legacy tools in addition to threat intelligence and analytic solutions.
Symantec-Crypto-Ransomware-Increase-2015-768x410Symantec reports that ransomware attacks increased 35% in 2015 to about 1,000 per day. Already in 2016, some days have spiked at 4,000 attacks and as we have seen, many are now victimizing enterprises. If you would like to learn more about how Information Security Analytics can help you detect, confirm and remediate attacks faster, download our latest white paper on the Knowns and Unknowns of Information Security or click the request a demo button below.

Share Post
Scott Raspa
sraspa@ikanow.com

Raspa oversees all business development and marketing from strategy development to execution. He has 12 years of technology marketing and sales experience in high-growth analytics and security companies. Raspa earned a Bachelor of Science in information systems management from the University of Maryland University College.