Dwelling on Dwell Time

OPM Hack: Sierra Vista is a military town. Therefore, many of us have personal or family ties to the military. I’m sure that many of you were in the same boat I was during the summer of 2015 when we found out about the Office of Personnel Management (OPM) breach. Hackers had exfiltrated (the technical term used when hackers pilfer data) the personal information for almost 20 million people related to the security clearance background investigation applications. The attack occurred in two phases.  The first phase, called X1 by Congressional investigators, started in November, 2013.  OPM discovered it in May, 2014. The hackers had stolen very little documentation.  Before OPM could clean up the mess, the hacker obtained credentials and installed key-loggers and other malware to create a “backdoor” on May 7, 2014.  This second attack, known as X2, went unnoticed for over 11 months.  That boat I mentioned earlier? The one we were in together? It was leaking. And in the water? There were sharks.

How & How Long: While the sharks explored the OPM network they escalated their privileges so they had access to more and more information.  In December 2014, they plundered 4.2 million personnel records.  In March of 2015 they stole fingerprint data.  It wasn’t until mid-April 2015 that security personnel identified the unusual activity.  For over a year, the attackers had set up shop on the OPM network. Imagine how much damage an attacker can do to your organization with almost a year of dwell time!

What is Dwell Time: Dwell time, AKA “the breach detection gap”, is the period of time between malware executing within a network, when it is detected, and when the hemorrhaging is stopped.  During this time, adversaries have access to your organizational assets. Certain types of malware and cyber-attacks require a great deal of dwell time to escalate privileges to achieve their objectives.  Detecting the presence of malware early is critical to minimizing damage and protecting your assets.  In the cyber ocean of malware, avoiding the sharks is ideal, but early detection is a must! According to Ponemon Institute’s 2017 Cost of Data Breach Study  (http://www.ponemon.org/research/ponemon-library/security/2017-cost-of-data-breach-study-united-states.html), there is a 25% increase in the average cost of a breach found after 30 days. 

A Chain-Link Fence: Hoping anti-virus and anti-malware programs will protect you against all of this is like hoping your chain-link fence will stop mosquitoes. Anti-malware detects “signatures” of known malicious files.  However, today’s malware can easily modify its signature thereby appearing normal to antivirus engines. And attackers are creating new, advanced malware daily. Avast, McAfee, and the gang still catch most simple malware, but you need more advanced security to protect yourself from the uglies.  Similarly, firewalls and intrusion detection systems are another layer of protection. OPM had those too. The big one still made it through. It wasn’t enough.

Protect Yourself: To protect your organization, consider installing endpoint detection “agents” on your laptops and servers.  Endpoint detection agents monitor your system for unusual activity and notify the security operations center.  Some tools even offer endpoint deception, where the attacker opens a “canary” file. We call this a cyber tripwire. The canary file traps the hacker in a virtual network separate from the real network. There the hacker may wander around investigating fake data and fake networks, unbeknownst to him (think of the holodeck on the U.S.S. Enterprise). Shortening the malware dwell time for your organization means reduced risk of a breach, of a malware outbreak, or of being trapped in a botnet scheme or ransomware.  Early detection sure is better than remediation!  Ask OPM, where they will spend over $350 million in credit monitoring services alone.