Disrupting the Hacker Timeline – Why Fast Matters in Cybersecurity

The Threat Landscape by the Numbers

One of the only consistent aspects of the cyber threat landscape is that you can count on it to shift (and quickly, too). In last year alone, organizations around the world saw a record-breaking year of cyberattacks showing increased variety and severity. The following findings from 2021 reflect the current state of the threat landscape:

• Cyberattacks increased 50% year-over-year with businesses facing 925 attacks per week worldwide (Checkpoint Research)

• Globally, 30000 websites were hacked daily (Web Arx Security) and, every 39 seconds, there was a new attack on the web (University of Maryland)

• The average cost of data breaches rose from $3.86 million in 2020 to $4.24 million in 2021 (Ponemon Institute & IBM)

• Governments worldwide noted a 1885% increase in ransomware attacks (SonicWall)

This is the same landscape that is witnessing increasing rates of successful advanced persistent threats (APTs). Due to the use of lateral movement techniques, threat actors are quickly infiltrating networks through low-level web servers, endpoint devices with weak protection, or compromised email accounts. Once inside, the real damage begins. There, the actors secure their foothold and start to move laterally through the remainder of the network to locate their targeted assets and encrypt sensitive data for ransom.

Understanding The Hacker Timeline

Let’s take a closer look at the hacker timeline – how threat actors move before, during, and after their attack. The timeline is defined by five phases:

1. Planning: During this phase, threat actors will select their target, perform research and collect all exploitable aspects of their target, and decide on their attack vector.

2. Intrusion: Common intrusion techniques include spear phishing, insider threats, or exploiting zero-day vulnerabilities. Based on the research the actors collected in the planning, they can tailor their intrusion methods.

3. Enumeration: Once the threat actors have infiltrated the targeted environment, they work swiftly to figure out: Who am I? Where am I? Where can I go? Who do I need to be? They hide evidence of their entry and will aim to steal credentials allowing them to elevate their access and permissions.

4. Lateral Movement: In this phase, the main goals of the actor are to steal data, establish persistence, hunt users, and distribute their toolset and malware.

5. Completion of Objective: Once the malicious toolset/malware has been deployed, threat actors will perform data exfiltration and usually delete any backups and corrupt local files and folders, making it harder for incident response teams to restore the environment back to its normal working state.

Why Fast Matters in Cybersecurity

In the hacker timeline, the intrusion and enumeration phases make up the most crucial time period for cyber defenders to act. During these two phases, the actors have not yet moved far into the compromised network nor blended in with normal network traffic. This is the period in the attack timeline before lateral movement begins. After this, it becomes much more difficult to detect the attacker.

Once in the lateral movement phase, threat actors strategically avoid detection, embed themselves deep into the network, and begin to “live off the land”. This means using legitimate processes and tools already available in the environment to further their foothold. Moving from one system to another, they seek to compromise additional systems and user accounts along the way. In this stage, the actors may remain undetected for long periods of time while they stealthily scan for access, data, and assets to steal and encrypt. It is safe to assume that threat actors, with enough time and resources, will ultimately achieve success. This is why it is so important to detect immediately after initial signs of breach and isolate the threat in their enumeration phase.

So, if the main goal is to defend against critical damage in the lateral movement phase, then being faster than the threat actors makes all the difference. With immediate detection and response capabilities, we can disrupt the hacker timeline and stop them before they do critical damage.

The time between intrusion and lateral movement is significantly diminishing as threat actors become more well equipped and sophisticated. Even tools such as SIEMs (Security Information and Event Management), advanced analytics tools, anti-malware, and anti-virus solutions have proven inadequate at catching this phase in the attack lifecycle. To fight back, live detection of privileged lateral movement is key.

Blackpoint MDR vs. The Hacker Timeline

When an attack occurs, detection and response times often determine whether attackers succeed in their efforts. With true 24/7 MDR, Blackpoint helps you fight back within minutes and close the gap between the identification of an event and the actual response and remediation. By immediately isolating endpoints, Blackpoint’s MDR technology stops the threat from moving laterally into other systems.

Combining network visualization, tradecraft detection, and endpoint security, we can rapidly detect and neutralize lateral movement in its earliest stages. Our solution harnesses metadata around suspicious events, hacker tradecraft, and remote privileged activity to catch what others miss and take real action before cyber threats can spread.

• Monitor: Blackpoint proactively threat hunts for evolving threats 24/7, maintaining full visibility of your entire network. Our experienced team leverages leading-edge, proprietary technology to monitor for indicators of compromise, malicious behaviour, and open risks.

• Detect: Every second counts when it comes to detecting the first signs of breach. Blackpoint detects and isolates developing threats before they can spread laterally into other parts of your system. We investigate suspicious activity on your behalf and eliminate alert fatigue and time spent on false positives.
  

• Respond: In the fastest responses times seen by the industry, Blackpoint isolates and stops malicious processes. We take action to neutralize threats in real-time rather than sending you instructions to action yourself. Get alerted after the risk is eliminated and we’ve secured your environment.

Where SOC Comes into Play

The Blackpoint Security Operation Centre (SOC) is focused on detecting intrusions and rapidly responding to contain them before they can move deep into your network. Our mission is to monitor your and your clients’ networks around the clock and detain advanced threats before they can spread laterally. As we collect and monitor your data sources, we add context to make the information actionable within the overall threat management process. Our SOC leverages Blackpoint’s proprietary MDR technology to combine network visualization, insider threat monitoring, anti-malware, traffic analysis, and endpoint security into an end-to-end cyber strategy protecting you.

Trust our SOC team to provide the following services:

• 24/7/365 Monitoring – Enjoy peace of mind with around-the-clock protection.

• Rapid Detection – Catch threat actors before they can spread laterally.

• True Response – Not just a call or email; we take real action to mitigate threats on your behalf.

• Expertise & Experience – Industry leaders in stopping attacker techniques and tradecraft.

• Alert Triage & Investigation – Eliminate alert overload and time wasted on false positives.

• Proprietary MDR Technology – Nation-state grade MDR detects what others miss.

Protecting your business is synonymous with protecting your customers. That’s why businesses who are serious about their cybersecurity invest in a SOC to benefit from in-depth security expertise, human threat analysis, 24/7 monitoring, and immediate incident response. Having a SOC means responding faster, minimizing damages and costs, and safeguarding data and business continuity.

Summary

Though cyber adversaries move fast, there are ways to get ahead of them. Investing in a fully managed, 24/7 SOC effectively prepares your defence against threats. To take your strategy further, augmenting SOC services with an MDR’s capability for advanced threat monitoring and network analysis ensures a comprehensive and optimized security strategy for organizations looking to win the unfair fight against lateral movement today.

Author: Blackpoint Cyber

https://blackpointcyber.com/blog/disrupting-the-hacker-timeline/?utm_campaign=2022_blog_posts&utm_content=200822607&utm_medium=social&utm_source=twitter&hss_channel=tw-3392676269