Companies quicker to detect breaches, hackers more aggressive

Companies pay up when their data gets locked
Companies pay up when their data gets locked

Ransomware and cyber-extortion are increasing with criminals becoming more aggressive in their tactics, a recently published report found.

According to the M-Trends report, published by FireEye's Mandiant Consulting, the median number of days attackers were on a victim's network before being discovered dropped to 146 days in 2015 from 205 days in 2014. However, it warned, breaches can – and do – go undetected for years.

The report also found that discoveries of breaches by third parties rather than the firms themselves take longer than internal ones, with an average of 319.5 days from compromise to discovery. Internal discovery takes an average of 56 days.

The report noted that last year, the nature of the breaches the firm responded to continue to shift to a more even balance of Chinese and non-Chinese-based threat actors.

“We responded to more actors based out of Russia (both nationally sponsored and traditionally financially motivated attack groups) than in the past,” the report's authors said.

It also reported an increase in “gunslinger”, or for profit, groups as well as a significant increase in attack groups leveraging deregulated currency such as bitcoin to get their ransoms paid.

It said the most interesting new trend last year was the increase in disruptive attacks it responded to. Disruptive attacks can be those that hold data for ransom, such as CryptoLocker, hold a company for ransom by, for instance stealing data and threatening to release it, delete data or damage systems, add malicious code to a source code repository or modify critical business data in the hope that it does not get discovered.

“These attacks resulted in a public release of confidential data and, consequently, embarrassment and reputational damage. In some cases, companies lost the capability to function as a business due to the crippling loss of critical systems. Side effects included executive resignations, costly ransoms, and expensive system rebuilds,” said the report.

It said that disruptive attacks are likely to become an increasing trend given the high impact and low cost. “Disruptive cyber capabilities are sometimes referred to as ‘asymmetric,' in that they can cause a significant and disproportionate amount of damage without requiring attackers to possess large amounts of resources or technical sophistication,” it added.

Organisations are also getting more blackmail threats and the report said that in almost all cases the value of the ransom demand was commensurate with the value of the stolen data.

“This helped ensure that companies would pay the ransom. If the ransom amount is too large, the attacker is likely to never be paid. In one notable exception, the ransom demand was inexplicably low, despite the attacker seeming to know the true value of the stolen data.

“This instance came under scrutiny by the victim company and law enforcement because an ulterior motive was suspected,” the report said.

Fraser Kyne, principal systems engineer at Bromium, told SCMagazineUK.com that these attacks are becoming more prevalent for one simple reason: they work.

“Detection is a fundamentally flawed methodology for stopping polymorphic, targeted malware. Also much of the detection is after the fact – meaning that you still got hosed and the damage was done,” he said.

“You may now have a pattern for that particular attack, but if that morphs, then you're hosed the next time, too.” 

Detection delay 

Guy Bunker, senior vice president at Clearswift, told SC that while detection may be getting better among the larger organisations, for many small and medium sized businesses who are not protected in the same way, this detection can take weeks or months.

“The threat from the legitimate insider (whether they are malicious or inadvertent) is increasing and this will not have the indicator that external attacks have – although the outcome can be just as devastating. While external attacks are becoming more aggressive, it is the social engineering to attack from within which is becoming both more sophisticated as well as commonplace,” he said.

Jason du Preez, chief executive of Privitar, told SC that companies need to evolve data management practices and embrace a privacy-by-default approach to data security and privacy.

“This data-centric approach effectively separates data utility from data identity and will allow companies to confidently use sensitive data to drive innovation without the fear of serious regulatory, legal or financial repercussions.”

Richard Beck, head of cyber at QA, told SC that the human element in protection against these attacks is equally – if not more – important.  

“The best technology in the world won't protect against the actions of an employee who, through malicious intent or innocent mistake – gives a cyber-criminal access to your company's digital crown jewels. In the same way that an organisation must provide physical protection with a high-viz jacket and hardhat, organisations have a duty of care to provide cyber protection through training, thereby minimising the chances of being the victim of an attack."

Johnathan Kuskos, manager of the European Threat Research Center at WhiteHat, told SC that whether or not you should pay a ransom really comes down to economics for most organisations.

“If the data and recovery time is worth significantly more than the time wasted communicating with the people holding the data plus the ransom itself, then yes, it might seem sensible to pay. But that assumes that those holding the data at ransom won't easily compromise you again shortly thereafter, now that they know you'll pay up,” he said.