24 February 2019

Russian Hackers Go From Foothold/Beachhead — To Full On Breach In 19 Minutes; “We Are On The Verge Of A New Age/Paradigm In Both The Cyber Threat, And Cyber Security — Artificial Intelligence-Enhanced Malware, Machine Learning Changing The Digital Battlespace


The title above comes from Andy Greenberg’s February 19, 2019 article on the security and technology website, WIRED.com. John Wooden, the legendary men’s basketball coach at UCLA was fond of saying, “Speed it up; but, don’t hurry.” A motto that can also apply to the cyber world. Dmitri Alperovitch, Chief Technology Officer at the cyber security firm, CrowdStrike, “argues that the crucial moment [regarding a breach] isn’t necessarily the initial penetration; but, what happens next — how quickly intruders can move from that [initial] beachhead, to expand their control. And no one, Alperovitch has found, does it faster than the Russians,” Mr. Greenberg wrote.

“In its annual global threat report released this week/Tuesday, CrowdStrike introduced a new metric of hacker sophistication: What the firm calls “breakout” speed,” Mr. Greenberg wrote. “Analyzing more than 30,000 attempted breaches in 2018, the company says it detected across its customer base, CrowdSreike measured the time from hackers’ initial intrusion, to when they began to expand their access, jumping to other machines, or escalating their privileges within a victim network – to gain more visibility and control. The company compared those times among state-sponsored hackers from four different countries, as well as non-state [but sophisticated] cyber criminals. Their results,: Mr. Greenberg noted, “suggests that Russian hackers were far and away the fastest, expanding their access on average, just 18 minutes and 49 seconds – after gaining their initial foothold.”


“Those numbers also hint at just how quickly defenders need to move to stop a breach in progress,” WIRED noted, “particularly if they might pose a tempting target for the Kremlin’s agents.” “Russia really is the best adversary,” Mr. Alperovitch said, “whose staff has closely tracked Russian [cyber] operations for years, along the way discovering two Kremlin-sponsored intrusions into the Democratic National Committee network in 2016.” “We’ve engaged with them on investigations, discovering and combating them, and this breakout time is a real proxy for how good they are. It really captures the operational tempo….they’re just incredibly fast, almost eight times as fast as the next adversary.”

“In CrowdStrike ranking, North Korea’s hackers came next, averaging about two hours longer than the Russians to expand beyond an initial compromised machine,” Mr. Greenberg wrote. “Chinese hackers took about four hours, Iranian hackers took more than five; and, profit-focused cyber hackers took nearly ten hours on average to escalate their privilege, or spread their infections across other parts of a victim’s network.” (Alperovitch admits that CrowdStrike’s data set doesn’t include targets of hacking by the U.S., U.K., or other English speaking countries known as Five Eyes,) nor perhaps Israel and France. “I would expect they would be at the top of the list,” Mr. Alperovitch said.

“In an era when intelligence agencies and militaries [and individuals] can buy malicious software from [a] myriad of private firms, Alperovitch argues that the breakout times CrowdStrike has measured, might represent the closest thing to a real test of operational sophistication,” Mr. Gteenberg wrote. “Nation-state hackers aren’t as likely to outsource the actual hands-on-the-keyboard aspect of hacking, as they are to buy research and software development.” “Tools, zero-days, sophisticated malware tells you something; but, not the full story,” Mr. Alperovitch told WIRED. “It just means they have a lot of money.”

Mr. Alperovitch ‘points to one example where it took a team of hackers, known as Cozy Bear, or APT29., only 10 minutes to gain domain admin privileges — essentially full control over the network — from the moment a target clicked a phishing link,” WIRED reported. “They’re not there sipping coffee, thinking, ‘Let me figure what I want to do today,’ Alperovitch said. “They have a victim, they jump on it as quickly as possible, and really execute their mission before they get detected.”

“Breakout speed is far from the only way to measure the dangers posed by hackers,” points out Ben Read, a manager of cyber espionage analysis at cyber security firm FireEye, a CrowdStrike competitor. Mr. Read “argues that some hacker groups may cast a wider net than others; and, only prioritize acting on some of the victims that fall into it,”Mr. Greenberg wrote. “Speed is an interesting data point; but, it’s not a perfect stand-in for sophistication,” Mr. Read told WIRED. “They may have sent 10,000 phishing emails; but, they really only care about five targets, and if you’re one of them, they’re going to move quickly. But, if you are an HR person at a boring think-tank, they’ll get to you in a few hours.”

“But, CrowdStrike’s numbers still offer a sense of how quickly hackers move on average, and how vigilant [and nimble] network operators need to be, if they hope to catch and contain intrusions,” Mr. Greenberg observed. CrowdStrike “actually found that the overall average breakout time for all the incidents they observed in 2018, four hours and 37 minutes, was significantly longer than in 2017, when it was just under two hours, due in-part to a higher volume of slower-moving adversaries. But, even four or five hours represents a disturbingly narrow window for detecting and acting on an intrusion that could represent the difference between a single infected user, and a deeply compromised network.”

“Defenders have to be on call,” Mr. Alperovitch said. “This is an indication of not just how rapidly they move; but, how quickly you have to move as a defender….to eject them.”

“We Are On The Verge Of A New Age/Paradigm In Both The Cyber Threat, And Cyber Security — Artificial Intelligence-Enhanced Malware, Machine Learning Changing The Digital Battlespace

Interesting article; but, a few observations. There was no mention here of clandestinely exfiltrating data, even encrypted data by the adversary, or leaving a clandestine digital stay-behind on one’s network. More important than speed — is the ability not to leave any digital tracks; or, at least muddy them, along with a strong dose of denial and deception.

Artificial Intelligence-enhanced malware, machine-learning, big data mining, etc. all play a big role in this cyber chess board. As Larry Johnson, Chief Strategy Officer at CyberSponse wrote on the December 21, 2018 edition of the website, Entrepreneur, “in the next few years, artificial intelligence, machine learning, and advanced software processes, will enable cyber attacks to reach an unprecedented scale, wreaking untold damage on companies, critical systems, and individuals.” “Once ransomware and other malware can think on their own,” the cyber hacking threat is going to be exponentially more dangerous. Indeed, automated cyber attacks are already emerging in the wild in 2019, and one has to expect that threat to grow in both scale, and sophistication.

“What this means,” Mr. Johnson wrote, “is that we are on the verge of a new age in cyber security, where hackers will be able to unleash formidable new attacks using self-directed software tools and processes. These automated attacks on their own, will be able to find and breach even well-protected companies, and in vastly shorter time frames than can human hackers. Automated attacks will also reproduce, multiply, and spread in order to massively elevate the damage potential of any single breach.”

Shape-shifting malware is on the horizon, allowing the Trojan Horse/malicious bots, and bot swarms to change their pattern and signature, in order to become much more difficult to ferret out and discover. “AI-based malware will be better able to hunt down specific targets inside a company, hide from detection tools like antivirus ones [again, changing its pattern/signatures] and spread rapidly and uncontrollably across a network,” Mr. Johnson warns. “It will also mutate itself at will, in order to unleash multiple attacks simultaneously,” he adds.

The cyber adversary isn’t ‘ten feet tall,’ and AI and machine-learning will also benefit the good guys. But, there is little doubt that AI-enhanced malware and machine learning will likely give the darker digital angels of our nature an advantage in the short-term. No wonder, there is a burgeoning off-the-grid movement. That isn’t practical for the majority of us, so just understand that anything can, and likely will be hacked at some point. Assuming otherwise, is inviting disaster and a nasty strategic surprise. RCP, fortunascorner.com

No comments: