The time from compromising the first system on a network to being able to move laterally to infect other devices on the network varies widely between cyber-attack groups, but the fastest can achieve this in an average of less than 20 minutes.
Research by CrowdStrike, based on more than 30,000 breach attempts analysed by the company, found Russian nation-state attackers – ‘bears’ – are quickest with an average ‘breakout’ time of 18 minutes 49 seconds.
Breakout is the ability to move from the initial compromised computer on a system to infect other devices on the network. CrowdStrike says breakout speeds have significant implications for the resourcing of organisations’ security operations centres and provides time limits for incident response.
North Korean nation-state attackers, dubbed ‘Chollimas’, were the second fastest with an average breakout time of two hours 20 minutes 14 seconds, the company said, adding that it was "remarkable" that the second place group were nearly ten times slower than the Russians.
‘Pandas’ – Chinese nation-state attackers – were third with an average breakout time of 4:00:26, followed by ‘kittens’ (Iran) at 5:09:04.
Criminal actors, collectively dubbed ‘spiders’ by CrowdStrike, had the slowest average breakout time of 9:42:23, but this statistic came with the caveat that breakout times varied widely among this group with some spiders moving as quickly as the best nation-state attackers.
Analysis of threat actors’ breakout time was limited to those attackers who succeeded in breaking out of their foothold computer and where the researchers were confident of their ability to attribute the attack to known groups, CrowdStrike said. They also noted that there was considerable variation in breakout speeds between threat actors in given countries and also that a speedy breakout what not always the primary objective of attackers.
Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike, said, "This year’s report underscores the importance of speed of response in cyber-security and provides valuable insights into how to defeat some of the most destructive and capable nation-state and eCrime threat actors."
Organisations are increasingly being targeted by criminal gangs intent on spreading ransomware through as much of the network as possible. Rather than compromising one machine and infecting it with ransomware, the gangs are going from breakout and then infecting the entire network, CrowdStrike said.
Criminal groups are also becoming more collaborative and increasingly targeting media, technology and academic organisations.
Nation-states are particularly interested in telecoms, and CrowdStrike says it has identified several intrusion campaigns which it attributes to China, Iran and Russia focusing on the sector with the aim of supporting cyber-espionage campaigns.
And as a reminder that cyber-security is intimately entwined with geopolitics, it says it has observed an increased pace of activity from China, probably as a result of worsening relations between China and the US.
Adam Meyers, vice president of intelligence at CrowdStrike, said, "As we continue to see highly sophisticated nation-state and eCrime actors elevate the level and complexity of daily threats, this report should serve as a resource for business leaders and security professionals to better understand the threat environment and make informed decisions that protect business-critical data."
The report also provides an overview of attack techniques by region which shows significant variations in the use of malware, scripting, credential dumping and other techniques depending on victims’ geographical location.
It also provides an extensive list of techniques used to compromise networks. While the list of techniques for gaining the initial foothold is relatively short – comprising the usual suspects such as phishing and exploiting compromised credentials – the list quickly mushrooms when looking at techniques for achieving persistence, escalating privileges and evading defences.