You Have Around 20 Minutes To Contain a Russian APT Attack (zdnet.com)

← Back to Stories (view on slashdot.org)

You Have Around 20 Minutes To Contain a Russian APT Attack (zdnet.com)

Posted by msmash on Tuesday February 19, 2019 @03:21AM from the small-window dept.

When a Russian nation-state actor attacks a government or a private organization, they have about 20 minutes to detect and contain the attack. From a report: New statistics published today by US cyber-security firm Crowdstrike ranked threat groups based on their "breakout time." "Breakout time" refers to the time a hacker group takes from gaining initial access to a victim's computer to moving laterally through its network. This includes the time the attacker spends scanning the local network and deploying exploits in order to escalate his access to other nearby computers.

[...] According to data gathered from 2018 hack investigations, CrowdStrike says Russian hackers (which the company calls internally "Bears") have been the most prolific and efficient hacker groups last year, with an average breakout time of 18 minutes and 49 seconds.

5 of 123 comments (clear)

Min score:

Reason:

Sort:

The same dudes that "investigated" the DNC server? by Anonymous Coward · 2019-02-19 03:28 · Score: 0, Insightful

Russia Russia Russia Russia Russia Russia
russia Russia Russia Russia
It was her turn! Waaah wah wahhhh
Honeypots by goombah99 · 2019-02-19 03:46 · Score: 4, Insightful

I've wondered for some time why Honeypots are not a near-universal solution to this. That is, each router can host a bunch of fake servers with real IP addresses on the network then watch for intrusion attempted or real on these fake nodes. You don' t need a lot of horsepower backing the fake nodes since they are not doing anything except mimicking a normal level of net traffic to other computers so it's not a burden on the system or the routers. And if one was worried the hackers could eventually learn to spot these virtual nodes in the routers (perhapsvia hacking the router itself), then one could also sprinkle in a few real computers on the network acting as honey pots.
In any event, any attempt to break in or a successful one on a honey pot, is 100% evidence the network is experiencing lateral intrusions and you just shut it down immediately.
What's the catch?

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:Honeypots by jbmartin6 · 2019-02-19 04:35 · Score: 4, Insightful
  
  It's not quite so simple. From what I've seen in pen tests and attacks, fake network nodes are not effective. Attackers aren't blindly flailing around breaking into whatever host they find. They are following various bits of information which they find on each link in the chain. Either by examining domain structures, local documents on a workstations, and the like. At least you would have to add your honeypots to AD or other information sources so attackers would find them, then tune out all the noise from legitimate tools and processes which try to access your honeypots for network inventory, vulnerability scans, host management, etc. Deception as a defense strategy is not a bad idea, it just takes some thought to put it where attackers are likely to find it but legitimate process or curious users don't stumble across it. Meanwhile, AD and system admins are cautious about injecting anomalous data into their babies.
  
  Some folks are using virtual infrastructure to place fake workstations around, so that attackers in the early 'get any Windows credential hash and see where it leads' can trip across them and set off alarms. This is aimed at tools like Responder and the like which try to get other nodes to send them an authentication exchange. One thing that should exist, and AFAIK does not, is a way to add well disguised fake credentials to the local Windows system, since that is usually the first place an attacker will look once they gain their foothold. Their are commercial tools which will do this, for a price, but no reliable way to make a convincing decoy on the cheap.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Re:Arrogant President Trump by tehcyder · 2019-02-19 04:20 · Score: 5, Insightful

He did not insult a handicapped reporter. He was mocking someone in his speech and, to convey their level of intelligence, made a face and a spastic hand motion. The target of his insult was not handicapped. He's done the same thing many times, at non-handicapped people. There just happened to be a random handicapped reporter attending, and the misconstrueing bagan...
As for insults, he gets as good as he given (except that he's a bit better at making it funny).
At the risk of stating the obvious, making "a face and a spastic hand motion" that equates physical disability with low intelligence is offensive in itself, regardless of who you're talking to.

--
To have a right to do a thing is not at all the same as to be right in doing it
Re:Arrogant President Trump by wildfish · 2019-02-19 04:23 · Score: 3, Insightful

whoooshh .. "and, to convey their level of intelligence, made a face and a spastic hand motion" The insult in your statement here does not require the presence of any particular type of person. The insult is the conflation of certain physical traits with intelligence.