In 2017, Ransomware wreaked havoc around the globe, bringing business, hospitals, and government organization alike to a grinding halt. Thousands were greeted by ominous messages demanding ransom payment to decrypt their files, and news of the attacks spread nearly as fast as the attacks themselves. But, in my opinion, one of the broader consequences of those dark days of ransomware is that many people came to expect if a breach is bad, they will know about it right away.
Now, I am not saying that ransomware is no longer a threat, far from it. However, it’s important to understand why ransomware was appealing to attackers in the first place: Bitcoin. Bitcoin gave cyber criminals an easy way to monetize their attack, while anonymizing the financial exchange. This meant they could attack and cash out while leaving as small of a financial paper trail as possible. For this reason alone, the risk of announcing your presence on an infected machine was worth it. But this is counter to how hackers, who want to reduce exposure and reduce the risk of being caught, normally operate.
Responding to threats in a timely fashion can be the difference between a quick fix, and a major security incident. The longer the threat goes undetected, the more harm it can cause. Cryptojacking malware, for example, uses an average of 25% of an endpoints CPU while running, and generating a single bitcoin can cost nearly $10,000 in power alone. While an increased power bill, and slowed machines might set off alarm bells, many organizations would struggle to identify and remediate the threat on that information alone.
In fact, it takes an average of 197 days1 for a business to detect a breach, a credit to the skilled nature of attackers able to hide their attack in plain sight. For smaller organizations, the problem is even worse, with average time to detection taking nearly 800 days2.
In the face of increasingly evasive threats, here are a few axioms that can help accelerate detection and remediation.
- Know what you don’t know. Zero day malware comprises a startling proportion of malware. Relying on antivirus from an OS vendor, and simple packet-filtering? Believe me when I tell you – what you don’t know CAN hurt you. In network security, knowing what you don’t know is all about sourcing the best threat intelligence, correlating as much as possible, making security information actionable, and deploying artificial intelligence that learns with each new threat.
- Correlation IS Causation. Well-implemented security systems serve up a huge amount of data. With correlation, you can look at security inputs from multiple sources in tandem – so if your network device detects your user attempting to connect with a bad site, and the user’s endpoint flags a sudden change to the host file, you’ll have a good idea that a botnet is present.
- Bring light to the darkness. Threats can hide in the shadows of encrypted connections. Upwards of 90% of network traffic is encrypted. Attackers issue orders and even deliver payloads via HTTPS. Being able to inspect this traffic isn’t just a nice feature to have, it’s a best practice that every business should implement.
- Keep your head in the Clouds. The Cloud is a powerful platform for security. Through the Cloud we can process more threat data, faster. We can bring once disconnected technologies together for a more complete picture of your security posture. And, we can scale rapidly and seamlessly extend protections beyond the traditional perimeter.
- Focus on the Phish. Cyber-criminals are exploiting the naiveté of users as their initial attack vector. In fact, 90% of cyber attacks today begin with a successful phishing attempt, delivered via email that tricks one of your users. Blocking connections to malicious infrastructure and being able to kill the processes that attempted the connection can keep risky-clicks from becoming major security incidents. Training your employees to spot these attacks can prevent the clicks altogether.
Want to learn more about how WatchGuard can help accelerate breach detection? Download our whitepaper Defending Against Known, Unknown, and Evasive Threats with WatchGuard Threat Detection and Response.
1https://securityboulevard.com/2018/07/survey-finds-breach-discovery-takes-an-average-197-days/