In the last 12 months, there have been some truly startling cyber threat statistics come to light; worldwide ransomware attacks totaled over $236 million in the first half of 2022; over three in every five companies were found to be targeted by software supply chain attacks, and in 93 percent of cases, threat actors were found to breach company network boundaries and accessed sensitive resources. Looking further back, shockingly, Business Email Compromise (BEC) attacks have been found to have cost companies over $43 billion since 2016.
All of this data highlights that cyber criminals motivated by the possibility of financial gain have been experiencing success through the deployment of Advanced Persistent Threat (APT) campaigns. Worse still, the cyber threat landscape continues to evolve at an alarming rate, and there’s little doubt that global threat actors will continue to upgrade their tools and tactics in the coming months and years.
Looking at modern threats under a microscope, lateral movement or lateral spread – the movement of threat actors within a compromised environment/network – is a key element. By leveraging this technique, nefarious individuals secure their foothold in the target environment and spread laterally through it, in an effort to find, steal, and encrypt important assets and data for ransom.
The anatomy of a cyber-attack lifecycle
With the potential for a significant payday looming, threat actors have established dependable methodologies that allow them to move through a compromised environment in a process called attack lifecycle or kill chain.
This process comprises several phases that can be defined as follows: reconnaissance/planning; credential dumping; enumeration; lateral movement access, and finally, mission completion. In the first phase, threat actors pick their target and will research their mark’s network infrastructure, systems and users. By putting in this initial effort, the threat actor’s chances of successfully exploiting the target and leveraging vulnerabilities increases significantly.
In the next phase – credential dumping – threat actors commit to breaching the target environment; this is usually where legitimate credentials will be obtained through fraudulent means, so they can compromise as many hosts as possible. In the enumeration phase – post gaining access to the target environment – threat actors focus on quickly working out where they are in the system, what access they have, and where they can spread to next. This is typically when machine names, network assets and other resources will be extracted by performing direct queries.
From the threat actor’s perspective, the next phase – lateral movement access – is the most critical part of the kill chain. Having acquired what they need, these nefarious individuals will begin to expand their foothold in the environment by using malicious tools to continuously upgrade their permissions, access critical data and systems, and distribute malware and toolsets.
In the last phase, threat actors have been found to be increasingly exfiltrating sensitive data, following which it will be encrypted within the environment, which gives them greater leverage over their target.
Shortening dwell times
Complicating matters further, recent research has found that threat actors are becoming more efficient in carrying out their attacks. What this means in a nutshell is the overall average timeframe for an attack is now much shorter than in the past; whereas in the past dwell time (the length of time between an initial breach to the detection of the threat) could have been weeks and months, today, many threat campaigns – particularly ransomware – only last a matter of hours. This suggests that threat actors are often already within a victim’s network and are just waiting to deploy.
Unfortunately, this means that traditional security solutions including SIEMs (security information and event management platforms), anti-viruses, and anti-malware are unable to quickly and efficiently detect threat actors.
So, considering shorter dwell times and advanced hacking tactics, the challenge for businesses today is to detect the presence of cyber threats as soon as possible. This in turn means that fast and accurate threat detection should be a key pillar of modern cybersecurity strategies.
Counteracting lateral movement
Considering this issue, the obvious question is: when and how fast should organisations detect threats to prevent the worst from happening? Going back to the cyber attack lifecycle, the most critical period to act is during the reconnaissance and credential dumping phases.
During these phases, threat actors won’t have had the chance to move deep into the compromised network through lateral movement. At this point, the threats will also be more visible as they’re likely not blended in with regular network traffic, nor is it likely threat actors would be able to take advantage of network resources to expand their foothold in the system by using native tools and processes.
In simple terms, the more time and resources threat actors have, the higher the likelihood they will meet their objectives. From the standpoint of organisations wishing to defend against these these nefarious individuals, the main goal should be to prevent them from reaching the lateral movement phase, which enables them to do critical damage.
Disrupting the cyber attack kill chain
As threat actors get more sophisticated, which consequently means that the time between initial intrusion and lateral movement continues to shorten, the importance of quick detection times cannot be overstated. Since traditional security solutions, anti-viruses and anti-malware aren’t up to this task, organisations should consider specialised Managed Detection and Response (MDR) services.
The best of these solutions take advantage of autonomous detection EDR (Endpoint Detection and Response), and can defend an organisation’s network from cyber attacks instantly, and with a higher level of accuracy that human teams can provide. MDR solutions can seamlessly monitor an organisation’s entire digital environment around the clock, hunting for advanced threats and can significantly reduce mean time to response (MTTR) rates.
When looking for the ideal solution to deploy, firms should look for MDR services that offer machine-speed detection technology that is run by dedicated analysts. The solution in question should also allow organisations to adapt instantly, and at scale, to the fluid threat landscape and, ultimately, close the gap between intrusion to lateral movement, and neutralizing the threat before it can spread deep into the environment and cause significant damage.
Organisations should consider MDR solutions that offer capabilities including: active threat campaign hunting for APTs (Advanced Persistent Threat); alerting and remediation guidance for emerging threats; incident-based triage and hunting; 24/7/365 monitoring, triage, and response capabilities; security assessment, as well as digital forensics investigation and malware analysis.
By deploying a capable, feature-rich MDR solution, businesses can protect themselves from adept and motivated threat actors. With machine-speed detection technology that is powered by dedicated analysts, organisations can act before threat actors move laterally within their environments to exfiltrate and encrypt sensitive data, and hold them to ransom.
