In Time: Responding to a Cyber Incident
Cyber threat has continued to grow year over year, as made evident by the number and scale of data breaches. Organizations face a variety of cyber threats from large-scale phishing attempts to targeted attacks from cybercrime organizations and hacking groups. When a breach occurs, rapid response is critical. The longer an incident goes undetected and the greater the foothold the attacker can establish within an organization, the more difficult and expensive the incident response and remediation process will be. As recent studies show, how fast is fast enough when responding to a cyber incident depends on whom is behind the attack.
How Long Do I Have?
Ideally, detection and quarantine of an attack occurs before the hacker achieves “breakout”. This is the point where the hacker has successfully scanned the network, identified one or more vulnerabilities in other computers, and exploited them. At this point, the attacker can expand beyond “patient zero” and move laterally through the network. After breakout, identifying all infected machines becomes much more difficult since the attacker can use means indistinguishable from normal traffic (like logins with stolen passwords) to compromise new machines.
But how long does this equate to in terms of hours, or even minutes?
Crowdstrike’s 2019 Global Threat Report ranked ten of the top countries and types of hackers based upon how quickly they achieve breakout during a hack. The groups included in the study were
- North Korea
- Organized Crime
- South Korea
On average, it takes about four hours and thirty-seven minutes for a hacker to achieve breakout. This means that an organization has about four and a half hours on average to identify and contain a hack. However, this is only an average. Organized crime is the slowest, with an average breakout speed of nine hours and forty-two minutes.
Russian hackers lead the pack with an average time to breakout of only eighteen minutes. This means that an organization has less than eighteen minutes to detect an attack, determine the scope, and quarantine the affected machines. Failure to do so means that detection and cleanup of the attack will become much more complicated.
How an MSSP Can Help
In cyber incident response, one of the most important steps is quarantining the threat. If an attack is quickly identified and affected systems are disconnected from the rest of the network, the impact of the attack may be minimal. However, the longer an attack goes undetected and the more established a hacker becomes within a network, the more difficult and expensive it is to completely eradicate them from the network.
Ensuring that a cybersecurity incident is contained requires that the incident be detected and quarantined prior to breakout. When the time to identify and respond to an intrusion is a quarter of an hour, this means an organization needs a network defense team monitoring and ready to respond 24/7. The global nature of the Internet means that threat actors can and likely will be operating outside of standard business hours.
With the current cybersecurity skills shortage, it can be difficult or impossible to acquire enough cybersecurity talent to achieve this level of monitoring. This is where a Managed Security Service Provider (MSSP) can be a huge asset to an organization. With access to the latest monitoring equipment and staff trained to operate it around-the clock, employing an MSSP maximizes your organization’s probability of detecting a breach in time and removes the burden of protecting against these threats from your organization.
Picking the Right MSSP
When assessing the many MSSPs available, it’s important to choose the right one. You need an organization capable of performing around-the-clock network monitoring and responding to any identified incident. The MSSP should also be familiar with any regulations that apply to your organization (GDPR, HIPAA, PCI, etc.) and the associated security requirements.