Cyber-security vendor CrowdStrike released its 2018 Global Threat Report on Feb. 26, providing insights from the company's globally distributed network that processes approximately 100 billion events a day. Among the highlights of the 74-page report is an analysis of what CrowdStrike refers to as the average breakout time, which is a key metric for organizations to help mitigate risk.
"The breakout time is the time that it takes for an attacker to escape the initial beachhead machine that they were able to compromise," Dmitri Alperovitch, CrowdStrike’s chief technology officer and co-founder, told eWEEK.
According to CrowdStrike's analysis, the average breakout time in 2017 was 1 hour and 58 minutes. Alperovitch explained that in a typical attack scenario, whether the attack vector was phishing or a web-based vulnerability, the initial victim is in most cases was not the ultimate target. He noted that attackers typically want to get deeply embedded in a network to find the most valuable data.
"It's really interesting to note that it took almost two hours for attackers to get off the initial beachhead, as it shines a light on how much time defenders have to actually contain an incident before it becomes a breach," Alperovitch said. "Two hours is not a huge amount of time, but it's also not instantaneous. We often talk about cyber-attacks occurring at the speed of light, but that's just not the case."
During that nearly two-hour time period, Alperovitch said human attackers are performing reconnaissance on systems in an effort to determine where to go next and how to elevate privileges. While detecting attackers before they are able to break out from an initial infection point is important, so too is blocking attackers at the network perimeter.
"You want to block as much as possible, but the reality is that there is no silver bullet and things will get through," he said.
Alperovitch added that if organizations are not preventing and blocking as much malware and attack activity as possible, security teams won't have the time to properly look at the more sophisticated threats. One of the ways that attacks got through in 2017 was via sophisticated supply chain attacks. One such attack occurred in September 2017 when the CCleaner tool was hacked, infecting millions of users with backdoor malware when they attempted to download or update the software.
"The reality now is that legitimate applications are being exploited by adversaries," he said. "Patching is important, but it's definitely not a panacea."
What Organizations Should Focus On
While there is no shortage of threats that organizations face, Alperovitch said there are three key metrics that can be used to help minimize risk: time to detection, time to investigation and time to remediation.
Time to detection is the amount of time it takes for an organization to detect an initial threat. The best organizations should be able to detect threats within a minute using automated technologies, he said.
Time to investigation should be tracked to determine how long it takes to investigate a detected threat. Investigations can involve humans and should take approximately 10 minutes, according to Alperovitch.
Alperovitch suggests that the third metric, time to remediation, for the best organizations should be one hour. During that time, organizations are cleaning up after any actions that an attacker conducted as well as ejecting the adversary from the network.
"If you are that fast, you'll be able to contain the incident and prevent a breach from taking place," he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.