Slashdot Mirror

← Back to Stories (view on slashdot.org)

You Have Around 20 Minutes To Contain a Russian APT Attack (zdnet.com)

Posted by msmash on from the small-window dept.

When a Russian nation-state actor attacks a government or a private organization, they have about 20 minutes to detect and contain the attack. From a report: New statistics published today by US cyber-security firm Crowdstrike ranked threat groups based on their "breakout time." "Breakout time" refers to the time a hacker group takes from gaining initial access to a victim's computer to moving laterally through its network. This includes the time the attacker spends scanning the local network and deploying exploits in order to escalate his access to other nearby computers.

[...] According to data gathered from 2018 hack investigations, CrowdStrike says Russian hackers (which the company calls internally "Bears") have been the most prolific and efficient hacker groups last year, with an average breakout time of 18 minutes and 49 seconds.

13 of 123 comments (clear)

  1. 20 minutes? by 110010001000 · · Score: 2

    With enough vodka I do it in 10.

  2. 'APT' attack? by Necron69 · · Score: 2, Interesting

    I admit I had to Google that one. Stupid article doesn't explain the name at all, and here I was thinking we had some big new Debian/Ubuntu vulnerability.

    - Necron69

    1. Re:'APT' attack? by aaarrrgggh · · Score: 3, Interesting

      While it didn’t register, I was able to come up with Advanced Persistant Threat on my own given the summary.

    2. Re:'APT' attack? by tomhath · · Score: 2

      Which doesn't change the fact that the article really *is* clickbait horse shit to keep this Russia nonsense alive.

  3. Honeypots by goombah99 · · Score: 4, Insightful

    I've wondered for some time why Honeypots are not a near-universal solution to this. That is, each router can host a bunch of fake servers with real IP addresses on the network then watch for intrusion attempted or real on these fake nodes. You don' t need a lot of horsepower backing the fake nodes since they are not doing anything except mimicking a normal level of net traffic to other computers so it's not a burden on the system or the routers. And if one was worried the hackers could eventually learn to spot these virtual nodes in the routers (perhapsvia hacking the router itself), then one could also sprinkle in a few real computers on the network acting as honey pots.

    In any event, any attempt to break in or a successful one on a honey pot, is 100% evidence the network is experiencing lateral intrusions and you just shut it down immediately.

    What's the catch?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Honeypots by N1AK · · Score: 2

      I can't help but think there will be some obvious answer, but for once this is a suggestion on Slashdot that does seem to make quite a lot of sense. You can put a lot of security in place, but a lot of the escalated response steps are often manual. If my firewall IPS detects something it can stop that traffic, but a larger response would need to be triggered by an employee and we don't have a24/7 IT Ops desk so it could be 10+ hours between the first IPS and someone acting. If you're typical attack happens over a day this isn't a big issue, but less than a couple of hours...
      I can see some headaches about making sure your honeypots don't trigger lockdowns on unintended safe activity, and you'd have to ensure the honeypots were obvious enough they didn't get missed while also not being obviously honeypots which may be a hard thing to balance.

    2. Re:Honeypots by jbmartin6 · · Score: 4, Insightful

      It's not quite so simple. From what I've seen in pen tests and attacks, fake network nodes are not effective. Attackers aren't blindly flailing around breaking into whatever host they find. They are following various bits of information which they find on each link in the chain. Either by examining domain structures, local documents on a workstations, and the like. At least you would have to add your honeypots to AD or other information sources so attackers would find them, then tune out all the noise from legitimate tools and processes which try to access your honeypots for network inventory, vulnerability scans, host management, etc. Deception as a defense strategy is not a bad idea, it just takes some thought to put it where attackers are likely to find it but legitimate process or curious users don't stumble across it. Meanwhile, AD and system admins are cautious about injecting anomalous data into their babies.

      Some folks are using virtual infrastructure to place fake workstations around, so that attackers in the early 'get any Windows credential hash and see where it leads' can trip across them and set off alarms. This is aimed at tools like Responder and the like which try to get other nodes to send them an authentication exchange. One thing that should exist, and AFAIK does not, is a way to add well disguised fake credentials to the local Windows system, since that is usually the first place an attacker will look once they gain their foothold. Their are commercial tools which will do this, for a price, but no reliable way to make a convincing decoy on the cheap.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    3. Re:Honeypots by ctilsie242 · · Score: 2

      The catch is that you need manpower to actually have someone look at the honeypots, declare there is an attack in progress, and start disconnecting stuff. However, in most IT environments, not many employees will actually do so unless they have 100% evidence to do so, for fear they will be fired for crying wolf. In fact, IT people may get fired regardless of catching the attack in progress because "it happened on their watch."

      For a small startup with C-level people, this would work and even provide some entertainment. However, for a lot of companies where the C-levels actually will make a tidy profit by shorting their stock before they announce to the public they were compromised, it likely would not work.

  4. Re:Arrogant President Trump by tehcyder · · Score: 5, Insightful

    He did not insult a handicapped reporter. He was mocking someone in his speech and, to convey their level of intelligence, made a face and a spastic hand motion. The target of his insult was not handicapped. He's done the same thing many times, at non-handicapped people. There just happened to be a random handicapped reporter attending, and the misconstrueing bagan...

    As for insults, he gets as good as he given (except that he's a bit better at making it funny).

    At the risk of stating the obvious, making "a face and a spastic hand motion" that equates physical disability with low intelligence is offensive in itself, regardless of who you're talking to.

    --
    To have a right to do a thing is not at all the same as to be right in doing it
  5. Re:Arrogant President Trump by wildfish · · Score: 3, Insightful

    whoooshh .. "and, to convey their level of intelligence, made a face and a spastic hand motion" The insult in your statement here does not require the presence of any particular type of person. The insult is the conflation of certain physical traits with intelligence.

  6. Let's make this about me, OK? by CaptainDork · · Score: 3, Interesting

    Mobil Oil, ca. 1986. We had a fractional T1 connecting Beaumont, Dallas and Reston, Va.

    I was senior network engineer in Beaumont. Got a call from Dallas that a hacker* was crawling all over the place.

    I pulled the Ethernet cable on my Cisco router while I was on the phone.

    Reston started calling, freaking out. It never occurred to the other blokes that bad guys ride wires.

    *The hacker was actually a Joe Cool Kollidge Kid working for us who hooked Mobil to Lamar University in Beaumont to his home computer.

    Ah, the learning days. I miss those.

    --
    It little behooves the best of us to comment on the rest of us.
  7. apt-get 1998; threat 2006 by tepples · · Score: 2

    APT has referred to Debian's package manager since 1998 or thereabouts. The earliest public citation for "advanced persistent threat" I can find in a cursory search is from US Air Force Colonel Greg Rattray in 2006.

  8. US, China Internet attack legitimize Russian APT. by dweller_below · · Score: 2

    The US has been attacking multiple countries via the Internet for years. We did it first. We did it best. Yay US. Years ago, our doctrine was that Internet attack was a favorable option, because it had less unfortunate consequences than physical attack. But now, Internet can be much more devastating that physical attack. And the US has the most to lose in Internet attack.

    The US economy is totally dependent on the Internet. Internet attack can cripple or destroy us. We can no longer afford to legitimize Internet attack. The past aggressive internet attacks by the US, China and Russia have legitimized Internet attack for all the remaining governments. EVERYBODY who has anything valuable, now gets a chance to receive targetted, remote attack by several governments, PLUS targetted attack by the many organized crime groups.

    The US must formally cease undeclared war via the Internet. We must work with all other governments to ensure that we ALL stop waging undeclared war via the Internet.