How can deception technology help to significantly shorten this time?
As we know from the reports on the last two major security incidents, the so-called dwell time of hackers in productive systems is extremely long. Just imagine what you can do as an intruder who goes undetected for 2 months or more.
As for the SolarWinds hack, we know that the backdoor went undetected for a full seven months, and that happened to FireEye, an IT security consulting firm considered one of the best in the world. The vulnerabilities in the Microsoft Exchange software were only discovered and closed two months after they were exploited by hackers.
In a recent report, the global mean dwell time of cybercriminals before detection was 56 days. While this figure was significantly better than the previous year, when attackers had a whopping 78 days before they were detected. In some cases, however, attacks went undetected for several years, with serious consequences for all involved.
I would like to outline here, based on a real case, what actually happens from the time of discovery until the attacker is removed from the system. Then the forensic work actually begins, for which you have to call in external specialists to support your own employees. It should be mentioned here that this work must be done very carefully and cautiously, otherwise the hacker will realise that he has been discovered and immediately withdraw. In the productive system, you are operating on the open heart, so to speak. In this case, the first thing to do was to continue to observe the attackers and keep them away from all really critical data without arousing suspicion and leaving scorched earth behind with their extensive access rights. It was a balancing act that resulted in a major clean-up operation. In one fell swoop, all passwords were locked, web-shell backdoors were removed, new golden tickets were created for the Active Directory server and much more. This was only the visible end of a serious and, above all, successful attack that had systematically infiltrated the company’s IT. The attackers had hijacked central PCs and servers and were in and out virtually at will for almost half a year.
All this took a total of 5 months, and if you add the dwell time of 2 months, it was a total of 7 months, and that was connected with high unbudgeted costs in the 7-digit euro range.
What can Deception technology contribute to this?
Well, it should be noted that the company described above and many others that were victims of a hacker attack with a dwell time of several months were very well positioned in terms of security technology and had implemented appropriate preventive measures and solutions. Nevertheless, the attackers managed to penetrate the system. This is exactly where Deception Technology comes in. By means of deception technology solutions such as those of CYBERTRAP, so-called digital lures can be distributed in the productive system, which on the one hand are not visible or detectable for the normal user but can be found with the help of hacker tools. An example of such a lure would be the admin user and the corresponding password for a database server, which are stored in the Windows Credential Manager. As soon as a hacker uses this lure, he gets to this database server (“Decoy”), which is part of a so-called Deception environment. An alarm goes off immediately and the attacker is now in a monitored system from which he can no longer return to the productive system. Now the automated forensics starts, and the attacker can be analysed in detail.
All this usually takes place within 1-2 days after the hacker has penetrated the productive system. This means that deception technology can reduce the dwell time by 97% and significantly reduce the follow-up costs of an attack as described above. Deception technology can be deployed and operated at a fraction of the cost of removing attackers from the production system.
Want to learn more? Contact us
You might also be interested in: How does Active Directory Deception work?
About the author