A new on-demand webcast features CrowdStrike Vice President of Managed Services Austin Murphy, and Sr. Product Director Con Mallon as they discuss how organizations can leverage technology and speed to respond to incidents within the “breakout time” window.
As discussed in the CrowdStrike® 2019 Global Threat Report, speed is a critical factor in staying ahead of today’s rapidly evolving threats. And while speed is not a new concept in cybersecurity, and defenders have long understood its importance, it has not been well defined due to a lack of measurements and data. CrowdStrike seeks to remedy this by introducing measurements such as breakout time — which is the window of time from when an adversary first compromises an endpoint machine to when they begin moving laterally through your network — and suggesting the “1-10-60 rule,” both of which more accurately convey the level of speed necessary to defeat the adversary.
Breakout time is discussed in detail in a recent blog, and another recent CrowdCast details how to adopt the the “1-10-60 rule” as a benchmark for achieving the speed needed to defeat a sophisticated adversary and stop the breach. The rule calls for: one minute to detect, 10 minutes to investigate and 60 minutes to remediate.
The Importance of the 1-10-60 Rule
Mallon begins the webcast by outlining the key findings from the Global Threat Report that drive a need for achieving the 1-10-60 rule, as follows:
- Today it’s “survival of the fastest,” because malware is not the only problem in cybersecurity – speed is increasingly critical.
- Nation-state attacks continue unabated: Sophisticated targeted intrusion techniques are finding their way into the mainstream, and commercial enterprises are increasingly at risk, especially industries such as hospitality and telecom.
- eCrime groups are collaborating more than ever before – launching massive “Big Game Hunting” attacks that drive bigger payoffs.
He then discusses how attacks can be divided into five stages: initial access, persistence, discovery, lateral movement and objective – explaining that the 1-10-60 rule must be applied before lateral movement is achieved.
Incident Response Timeline
Mallon also outlines the incident response timeline and the stages that must occur for remediation to take place within the 1-10-60 time frame. The stages include:
- Detection — Finding a threat or suspicious activity. Organizations have one minute to achieve this.
- Understanding — What is the context of the threat? How does it function? What are its objectives? Organizations have 10 minutes to complete this analysis.
- Containment and Eradication — Stopping the infection from spreading and eradicating it from the environment. Organizations have 60 minutes to achieve this goal.
Dwell Time is Challenging
Mallon points out the challenge of extended dwell times that organizations are facing – several cases CrowdStrike has dealt with illustrate this fact and are included in the CrowdStrike Services Cyber Intrusion Casebook. “We found that the dwell time for incidents we were involved with in 2018 was 85 days — so there is a massive imbalance between adversaries and those of us who are defending organizations,” he says.
“They’re moving at the rate of hours, while organizations are moving at a pace of days, weeks and even months.” He also points out that while the 1-10-60 rule recommends that detection be achieved in one minute, a recent global survey conducted by CrowdStrike found that it’s taking an average of 63 hours for organizations to detect threats. Mallon says, “This brings into sharper relief the notion that adversaries are strengthening their foothold — the imbalance is clear.”
How Can Organizations Meet these Critical Metrics?
The remainder of the webcast is conducted by Murphy, who focuses on how organizations can ready themselves to defend against today’s accelerated attack processes and meet the challenge of the 1-10-60 rule.
He begins by explaining the critical capabilities any organization needs to quickly and effectively respond to an event – they include:
- 24/7/365 operations: Teams need to be available to respond to threats, and if you have a global organization, you need to be thinking about different time zones when your users may be active and opening emails, clicking on links, etc.
- Dedicated Security Operations Center (SOC): You need a team that is focused on security and building “muscle memory” around the tasks needed to handle threats.
- Process in place: Organizations need to implement a process before an incident occurs. This means creating a playbook, documenting what actions will be authorized and what tasks are needed.
- Security teams with direct access to endpoints: Your security team needs technical access and the authority to make changes. They might need to connect to a server remotely and delete a file, or isolate a system that poses a threat. They need to have the access and authority in place before an incident happens.
- Advanced skill levels: You need a team with the experience and abilities to handle whatever comes its way — having an adequate level of expertise is critical.
Every Breach Starts With a Small Issue
Murphy explains that relying solely on prioritizing threats may cause organizations to miss something crucial. He says, “Organizations may be making a mistake by ignoring or filtering out low-priority detections — missing the opportunity to contain and remediate an incident before it becomes a crisis or major breach.”
What is Remediation?
Murphy also explains how he and his team define remediation, saying, “It’s not just quarantining a malicious file — we are talking about the process and the discipline involved.” He defines this process as a series of steps that includes:
- Incident responders triaging and investigating threats
- Determining the technical root cause
- Addressing the entire attack kill chain
- Removing persistence mechanisms and stopping active processes
- Accomplishing all these steps without disrupting users
He emphasizes that the goal is to achieve maximum effectiveness with minimum disruption, and further explains that though many organizations rely on reimaging computers to recover from an attack, it is a time-consuming and disruptive process. Most important: If you have the right tools and the proper plans in place, it is often unnecessary.
Attack Case Studies
The webcast includes detailed case studies of two attacks where investigation and remediation were handled by the CrowdStrike® Falcon® Complete™ team.
The first case Murphy presents is an Emotet attack, which led to a “Big Game Hunting” ransomware incident that was particularly virulent, harmful and painful to remediate. He explained that the Emotet adversary (which CrowdStrike Intelligence tracks as MUMMY SPIDER) has been a pervasive threat, characterized by destructive breaches that have cost up to $1M to remediate. Because of its worm-like techniques, Emotet is difficult to deal with. It’s initial objective is to steal as many credentials as possible and turn one compromised endpoint into many.
Falcon Complete Remediates
In the webcast, Murphy walks through how the Emotet attack unfolded, how the victim organization tried to deal with it and how Falcon Complete, CrowdStrike’s hands-on, comprehensive security platform, remediated this event, quickly and efficiently. He also outlines the onerous remediation process recommended by the government and shows why counting on CrowdStrike security expertise and next-gen technology garnered maximum results with a minimum of disruption to the organization.
Another case Murphy covers in the webcast involves a TrickBot attack. He explains that by the time the CrowdStrike Falcon Complete team arrived on the scene, 75 percent of the victim organization’s environment was infected with TrickBot. The victim had spent three months fighting the infection and the TrickBot authentication storm had started to degrade and disrupt IT services, even taking down their email. Murphy says the infection had reached critical mass and he explains, “TrickBot behaves similarly to Emotet, in that if you have one endpoint that’s compromised, it will brute-force authenticate to other endpoints. In this environment, the organization spent several months trying to reimage endpoints and they were getting behind.”
Falcon Complete to the Rescue
The webcast details how the CrowdStrike Falcon Complete team came to the aid of this organization and deployed the Falcon endpoint protection platform, which immediately stopped the spread of additional infections and allowed remediation to progress. The Falcon Complete team was able to extinguish persistence by stopping affected services and scheduled tasks, and disrupting the 24-hour self-update process. As a result, Falcon Complete achieved complete remediation — remotely and within four days. They cleaned up hundreds of infected systems and got the organization back to business without having to reimage their machines.
Get all the details of this important webcast by watching it on-demand: “Making 60-Minute Remediation a Reality.”
- Learn more about Falcon Complete by visiting the webpage.
- Download the 2020 Global Threat Report.
- Read a white paper and learn how the Falcon Complete platform can help you instantly reach cybersecurity maturity.
- Test CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™ today.