Slashdot Mirror

← Back to Stories (view on slashdot.org)

You Have Around 20 Minutes To Contain a Russian APT Attack (zdnet.com)

Posted by msmash on from the small-window dept.

When a Russian nation-state actor attacks a government or a private organization, they have about 20 minutes to detect and contain the attack. From a report: New statistics published today by US cyber-security firm Crowdstrike ranked threat groups based on their "breakout time." "Breakout time" refers to the time a hacker group takes from gaining initial access to a victim's computer to moving laterally through its network. This includes the time the attacker spends scanning the local network and deploying exploits in order to escalate his access to other nearby computers.

[...] According to data gathered from 2018 hack investigations, CrowdStrike says Russian hackers (which the company calls internally "Bears") have been the most prolific and efficient hacker groups last year, with an average breakout time of 18 minutes and 49 seconds.

39 of 123 comments (clear)

  1. 20 minutes? by 110010001000 · · Score: 2

    With enough vodka I do it in 10.

    1. Re:20 minutes? by Red_Forman · · Score: 1

      I can do it in two. /Scrapper-142

  2. 'APT' attack? by Necron69 · · Score: 2, Interesting

    I admit I had to Google that one. Stupid article doesn't explain the name at all, and here I was thinking we had some big new Debian/Ubuntu vulnerability.

    - Necron69

    1. Re:'APT' attack? by aaarrrgggh · · Score: 3, Interesting

      While it didn’t register, I was able to come up with Advanced Persistant Threat on my own given the summary.

    2. Re:'APT' attack? by retchdog · · Score: 1

      well, shit! look at the brain on aaarrrgggh. you are one smart motherfucker, aaarrrgggh!

      --
      "They were pure niggers." – Noam Chomsky
    3. Re:'APT' attack? by Anonymous Coward · · Score: 1

      Thats because the article is hand waving pseudo-technical sounding clickbait horse shit to keep this Russia nonsense alive.

      Or it could be you're just that ignorant.

      APT is a term that has been around for fucking years now, and is well-known within the security community. Calling that "pseudo-technical" clickbait horse shit does nothing but showcase your stupidity. Be thankful they didn't use really advanced terms like "DNS" and "AD" to further confuse you.

    4. Re:'APT' attack? by tomhath · · Score: 2

      Which doesn't change the fact that the article really *is* clickbait horse shit to keep this Russia nonsense alive.

  3. Honeypots by goombah99 · · Score: 4, Insightful

    I've wondered for some time why Honeypots are not a near-universal solution to this. That is, each router can host a bunch of fake servers with real IP addresses on the network then watch for intrusion attempted or real on these fake nodes. You don' t need a lot of horsepower backing the fake nodes since they are not doing anything except mimicking a normal level of net traffic to other computers so it's not a burden on the system or the routers. And if one was worried the hackers could eventually learn to spot these virtual nodes in the routers (perhapsvia hacking the router itself), then one could also sprinkle in a few real computers on the network acting as honey pots.

    In any event, any attempt to break in or a successful one on a honey pot, is 100% evidence the network is experiencing lateral intrusions and you just shut it down immediately.

    What's the catch?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Honeypots by fustakrakich · · Score: 1

      What's the catch?

      Headlines, drama, intrigue, excitement! We need these stories to keep our eyes on the prize.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Honeypots by Shaitan · · Score: 1

      "What's the catch?"

      Time, effort, resources. This is all very very expensive in all three areas since devs are being used as part-time admins it only gets worse.

    3. Re:Honeypots by N1AK · · Score: 2

      I can't help but think there will be some obvious answer, but for once this is a suggestion on Slashdot that does seem to make quite a lot of sense. You can put a lot of security in place, but a lot of the escalated response steps are often manual. If my firewall IPS detects something it can stop that traffic, but a larger response would need to be triggered by an employee and we don't have a24/7 IT Ops desk so it could be 10+ hours between the first IPS and someone acting. If you're typical attack happens over a day this isn't a big issue, but less than a couple of hours...
      I can see some headaches about making sure your honeypots don't trigger lockdowns on unintended safe activity, and you'd have to ensure the honeypots were obvious enough they didn't get missed while also not being obviously honeypots which may be a hard thing to balance.

    4. Re:Honeypots by jbmartin6 · · Score: 4, Insightful

      It's not quite so simple. From what I've seen in pen tests and attacks, fake network nodes are not effective. Attackers aren't blindly flailing around breaking into whatever host they find. They are following various bits of information which they find on each link in the chain. Either by examining domain structures, local documents on a workstations, and the like. At least you would have to add your honeypots to AD or other information sources so attackers would find them, then tune out all the noise from legitimate tools and processes which try to access your honeypots for network inventory, vulnerability scans, host management, etc. Deception as a defense strategy is not a bad idea, it just takes some thought to put it where attackers are likely to find it but legitimate process or curious users don't stumble across it. Meanwhile, AD and system admins are cautious about injecting anomalous data into their babies.

      Some folks are using virtual infrastructure to place fake workstations around, so that attackers in the early 'get any Windows credential hash and see where it leads' can trip across them and set off alarms. This is aimed at tools like Responder and the like which try to get other nodes to send them an authentication exchange. One thing that should exist, and AFAIK does not, is a way to add well disguised fake credentials to the local Windows system, since that is usually the first place an attacker will look once they gain their foothold. Their are commercial tools which will do this, for a price, but no reliable way to make a convincing decoy on the cheap.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    5. Re:Honeypots by ctilsie242 · · Score: 2

      The catch is that you need manpower to actually have someone look at the honeypots, declare there is an attack in progress, and start disconnecting stuff. However, in most IT environments, not many employees will actually do so unless they have 100% evidence to do so, for fear they will be fired for crying wolf. In fact, IT people may get fired regardless of catching the attack in progress because "it happened on their watch."

      For a small startup with C-level people, this would work and even provide some entertainment. However, for a lot of companies where the C-levels actually will make a tidy profit by shorting their stock before they announce to the public they were compromised, it likely would not work.

  4. Arrogant President Trump by Anonymous Coward · · Score: 1

    Will mock handicapped reporters and tweet insults that make you feel sick

    1. Re:Arrogant President Trump by tehcyder · · Score: 5, Insightful

      He did not insult a handicapped reporter. He was mocking someone in his speech and, to convey their level of intelligence, made a face and a spastic hand motion. The target of his insult was not handicapped. He's done the same thing many times, at non-handicapped people. There just happened to be a random handicapped reporter attending, and the misconstrueing bagan...

      As for insults, he gets as good as he given (except that he's a bit better at making it funny).

      At the risk of stating the obvious, making "a face and a spastic hand motion" that equates physical disability with low intelligence is offensive in itself, regardless of who you're talking to.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
    2. Re:Arrogant President Trump by wildfish · · Score: 3, Insightful

      whoooshh .. "and, to convey their level of intelligence, made a face and a spastic hand motion" The insult in your statement here does not require the presence of any particular type of person. The insult is the conflation of certain physical traits with intelligence.

  5. Bullshit by gweihir · · Score: 1

    They have a few years actually building secure infrastructure instead of the insecure crap most have in place. If you are not prepared, even advanced script-kiddies can get in.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. You don't have 20m by guruevi · · Score: 1

    Once you've been breached you're at least 2-3 years too late to contain the issue. These "nation states" hackers typically aren't the best in the field. They get in through inept security IT people above all else.

    These companies have something to sell you - containment is a poor security strategy but sadly most companies won't invest until something happens so containment is their only strategy.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:You don't have 20m by Freischutz · · Score: 1

      Once you've been breached you're at least 2-3 years too late to contain the issue. These "nation states" hackers typically aren't the best in the field. They get in through inept security IT people above all else.

      Seems to me then that they are exploiting the biggest un-patched vulnerability in the system. That is not a sign of lacking skill, it is a sign of intelligence. You don't launch a frontal assault on the city walls thorough a hailstorm of arrows and cannon balls when you can sneak in through the sewers and surprise the defenders. What the Russians have done is send their intelligence services after best criminal hackers and confront them with a choice, either they drop everything and go to work for the intelligence services whenever they are needed while the security services make sure they suffer no unwanted attention over their side-business or ... well let's just say that American shit-hole prisons are a luxury spa compared to Russian ones.

    2. Re:You don't have 20m by mlyle · · Score: 1

      Oh, come on. The personnel may be uneven, but nation states both have very, very nasty toolkits to assist spread, concealment, and information extraction... and they buy zero-days.

      An initial foothold on the network can only be prevented by A) inability to be exploited by undisclosed exploits and B) perfect end-user practices to not inadvertently cooperate with attackers. Otherwise, we're in the scenario described above.

  7. Re:DRUMPF by liquid_schwartz · · Score: 1

    Nobody "stole" any elections. Hillary (It's Her Turn) Clinton lost in the same way as she lost to Obama, by being Hillary. If she's the best the Democrat party can deliver, the Democrat party will be out of office even if Drumpf resigns and is imprisoned.

    Of course, this time the Democrat party can try with Pocahontas...

    They know this, thus the push for importing millions of people illegally then making them voters. If you can drown out the actual citizens with a loyal constituency then you win. It will destroy the country and wreck standards of living but hey, you can't make an omelette without breaking a few eggs.

  8. Poppycock by jbmartin6 · · Score: 1
    Well, Crowdstrike sells endpoint detection and response software, so the claim has to be taken with a grain of salt. But the real problem lies here:

    "Breakout time" refers to the time a hacker group takes from gaining initial access to a victim's computer to moving laterally through its network...The "breakout" metric is crucial for organizations, as this is the time they have to detect infections and isolate hacked computers before a simple intrusion turns into a compromise of its entire network.

    Getting lateral movement is just one of the early steps in the chain, not the game over moment. Nor does it mean 'the entire network' is compromised. Attacker still has to locate what they need on the network and then get access to it, and then exfiltrate it (for stealing data) or break it. In other words, you still have a lot more than 20 minutes to detect and respond effectively.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  9. Let's make this about me, OK? by CaptainDork · · Score: 3, Interesting

    Mobil Oil, ca. 1986. We had a fractional T1 connecting Beaumont, Dallas and Reston, Va.

    I was senior network engineer in Beaumont. Got a call from Dallas that a hacker* was crawling all over the place.

    I pulled the Ethernet cable on my Cisco router while I was on the phone.

    Reston started calling, freaking out. It never occurred to the other blokes that bad guys ride wires.

    *The hacker was actually a Joe Cool Kollidge Kid working for us who hooked Mobil to Lamar University in Beaumont to his home computer.

    Ah, the learning days. I miss those.

    --
    It little behooves the best of us to comment on the rest of us.
  10. Nice graphics by CustomSolvers2 · · Score: 1

    The linked article is a masterpiece! So cool names and animals for the state actors! And look at the Mummy Spider below! What a tremendous job! 20 minutes, 3 hours or 5 years, it doesn't matter! Simple values which anyone could easily input into that well-crafted graphical heaven! I don't know what you are selling, but I want 10 of each! Please, take my money!! LOL.

    --
    Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    1. Re:Nice graphics by Archtech · · Score: 1

      As Caitlin Johnstone lucidly explains, when it comes to propaganda facts count for nothing - what you need is a good hot exciting story.

      https://caitlinjohnstone.com/2...

      --
      I am sure that there are many other solipsists out there.
    2. Re:Nice graphics by CustomSolvers2 · · Score: 1

      As a terrible salesman, my opinion about what should (not) be done is worth nothing. As a random viewer and potential client, I can say that a so marketing-intensive setup is very unappealing to me. Much more when dealing with a theoretically "cold" reality, where accurate and properly-justified numbers seem the only important thing. If you are selling cakes, slightly increasing the amount of sugar might be a good idea; but certainly not if you are selling steaks.

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
  11. Re:Eagles are missing from the list! by gmuslera · · Score: 1

    It would be Elephant instead, even if you don't see it in the room.

  12. Re:The same dudes that "investigated" the DNC serv by Archtech · · Score: 1

    Nowhere in the article does it say anything about how Crowdstrike are supposed to have identified the attackers. But we do know that the CIA and NSA (to say nothing of other parts of the alphabet soup) have means of disguising their malicious handiwork as that of anyone else they please.

    Would anyone like to suggest practical ways in which Crowdstrike could be certain about who is responsible for a given attack?

    --
    I am sure that there are many other solipsists out there.
  13. Re:Eagles are missing from the list! by Archtech · · Score: 1

    I want to know where USA falls on their list.

    It isn't on their list - of course. Americans would never do anything bad or harmful.

    --
    I am sure that there are many other solipsists out there.
  14. Re:The same dudes that "investigated" the DNC serv by Archtech · · Score: 1

    "WHY THE DNC WAS NOT HACKED BY THE RUSSIANS"

    William Binney, former Technical Director NSA
    Larry Johnson, former State CT and CIA

    https://turcopolier.typepad.co...

    --
    I am sure that there are many other solipsists out there.
  15. apt-get 1998; threat 2006 by tepples · · Score: 2

    APT has referred to Debian's package manager since 1998 or thereabouts. The earliest public citation for "advanced persistent threat" I can find in a cursory search is from US Air Force Colonel Greg Rattray in 2006.

  16. Re:Stop using Microsoft products by tepples · · Score: 1

    It's pretty hard to avoid Azure or GitHub if you work in computer software.

  17. ORLY 2 by jf_moreira · · Score: 1

    Assuming you know **it about it.

  18. US, China Internet attack legitimize Russian APT. by dweller_below · · Score: 2

    The US has been attacking multiple countries via the Internet for years. We did it first. We did it best. Yay US. Years ago, our doctrine was that Internet attack was a favorable option, because it had less unfortunate consequences than physical attack. But now, Internet can be much more devastating that physical attack. And the US has the most to lose in Internet attack.

    The US economy is totally dependent on the Internet. Internet attack can cripple or destroy us. We can no longer afford to legitimize Internet attack. The past aggressive internet attacks by the US, China and Russia have legitimized Internet attack for all the remaining governments. EVERYBODY who has anything valuable, now gets a chance to receive targetted, remote attack by several governments, PLUS targetted attack by the many organized crime groups.

    The US must formally cease undeclared war via the Internet. We must work with all other governments to ensure that we ALL stop waging undeclared war via the Internet.

  19. Re:The same dudes that "investigated" the DNC serv by Anonymous Coward · · Score: 1, Interesting

    What's up with slashdot lately? Russia, Huawei, China, Russia, Huawei, China, Russi, Huawei, China.

  20. Re:Impeach Pelosi! by CAOgdin · · Score: 1

    I can understand why you're an Anonymous Coward! Your politics are upside-down!

  21. Re:DRUMPF by CAOgdin · · Score: 1

    Um...er....She Actually WON the voters' preference in the Election. It was the Electoral College that reversed that outcome! It's an anachronistic outrage that smaller-population states refuse to challenge, even in light of the Internet...which wasn't even a dream when the E.C. originally rode horseback to their Washington, D.C. meetings.

    It needs to be abolished as archaic and unfair to voters. It's one of the reasons some adults refuse to vote...because their vote can be overridden by selected politicians!

  22. Re:DRUMPF by sarren1901 · · Score: 1

    The whole idea behind the E.C. was to ensure a few big cities didn't decide who the President would be every four years.

    If we really want to talk about how unfair the E.C. is, we can talk about how most states are winner take all. So you get 51% of the vote in a given state and you get EVERYTHING. It's one of numerous reasons why people would like to break up California and Texas as well.

    The popular vote would change that but then the politicians would change how they run for office. If they knew it was popular vote they would just blow sunshine at the huge cities and ignore half the country due simply to numbers.

    Which brings us right back to the founding fathers didn't want a handful of cities deciding the election every four years.

  23. Re:US, China Internet attack legitimize Russian AP by _merlin · · Score: 1

    Nice sentiment, but the cat's out of the bag and you can't put the genie back in the bottle. Welcome to the brave new world where you have to assume anything connected to the Internet will be attacked, whether it's by your own government, another government, a competing business, a black hat, or kids doing it for the lulz. Yeah, I miss the old, friendly Internet as much as anyone, where we could run recursing DNS servers, open mail relays, TCP small services, and unencrypted web servers. But it hasn't existed for more than a decade now.