{"id":39020,"date":"2024-01-16T00:18:57","date_gmt":"2024-01-16T00:18:57","guid":{"rendered":"https:\/\/cyberleadershipinstitute.com\/?p=39020"},"modified":"2024-01-16T00:20:23","modified_gmt":"2024-01-16T00:20:23","slug":"cybersecurity-in-the-fast-lane-why-speed-is-key-in-incident-response-mitigation","status":"publish","type":"post","link":"https:\/\/cyberleadershipinstitute.com\/cybersecurity-in-the-fast-lane-why-speed-is-key-in-incident-response-mitigation\/","title":{"rendered":"Cybersecurity In The Fast Lane | Why Speed Is Key In Incident Response & Mitigation"},"content":{"rendered":"

\"\"<\/span><\/p>\n

Threat actors are constantly evolving, consistently developing the tools, tactics, and procedures (TTPs<\/a>) they use in attacks. In today\u2019s threat landscape, enterprises of all sizes and industries find themselves pitted against professional cybercriminal gangs, advanced persistent threat<\/a> (APT) groups, and even nation-state actors \u2013 all of whom are leveraging faster attack methods than ever before.<\/span><\/p>\n

In addition to sophisticated TTPs and how organized many cybercrime-as-a-service models have become, enterprises also face the reality of how quickly active threats can become full-blown incidents. Speed, in both cybersecurity and cyberattacks, is the key metric to pay attention to as it defines the success of either the attacker or the defender<\/span>.<\/span><\/span><\/span><\/span><\/span><\/p>\n

This blog discusses the metric of speed in context of modern threat actors<\/a>, their methods, and how enterprise security teams can shave off critical seconds and minutes in their own detection and response processes.<\/span><\/p>\n

Threat Actors Are Picking Up Their Speed<\/strong><\/h2>\n

Technology has changed dramatically in the last few years alone, becoming smarter, faster, and more advanced. While enterprises use the latest software and tools to further their businesses, threat actors have done the same to level up their attack methods.<\/span><\/p>\n

Ransomware Attacks<\/span><\/span><\/span><\/strong><\/h3>\n

Though some of the reduction in dwell time is attributed to improved detection and response capabilities, ransomware has become a digital pandemic, targeting victims in all industry verticals. Given its high earning potential for a relatively short attack time frame, ransomware attacks are highly lucrative for threat actors and are protected by security experts to continue rising in both frequency and severity.<\/span><\/span><\/span><\/span><\/span><\/p>\n

Drive-By Download Attacks<\/span><\/span><\/span><\/strong><\/h3>\n

The attack then takes advantage of vulnerabilities in web browsers, plugins, or operating systems, allowing the malware to be automatically downloaded and executed on the victim\u2019s device<\/span>. Drive-by downloads require only the bare minimum of a victim\u2019s interaction, making them a potent tool for spreading malware, stealing sensitive information, and gaining unauthorized access to systems.<\/span><\/span><\/span><\/span><\/span><\/p>\n

Mass Scanning For Vulnerabilities<\/span><\/span><\/span><\/strong><\/h3>\n

Patch management is a continuous and, for many organizations, arduous task that requires security teams to try to keep up with all the latest security threats and issues in various operating systems. Since performing these internet-wide scans do not require a deep skill set, even low-level criminals are able to take advantage, sometimes even selling their scan results to more experienced actors.<\/span><\/span><\/span><\/span><\/span><\/p>\n

Zero-Day Exploits<\/span><\/span><\/span><\/strong><\/h3>\n

Growing Availability of Off-The-Shelf-Tools<\/span><\/span><\/span><\/strong><\/h3>\n

As the market for selling pre-made tools continues to expand, cybercriminals with little to no technical expertise are now able to quickly find and purchase pre-existing scripts to launch attacks on computer systems and networks.<\/span><\/p>\n

Deciphering How Actors Move Across The Cyber Attack Lifecycle<\/strong><\/h2>\n

Though cyber threat actors are moving swiftly, there are ways for enterprise businesses to stay ahead and safeguard their critical data and systems. Understanding how actors maneuver<\/a> before and during their attacks allows defenders to put in the right safeguards in place.<\/span><\/p>\n

Apart from APT groups, full-fledged ransomware gangs, and nation-backed threat actors, low-level cybercriminals are taking their shot on enterprises due to the widening availability of ready-to-use hacking tools. These tools, including exploit kits, infostealers, scanners, password<\/a> crackers, and attack simulation tools, are commonly available on forums and darknet markets<\/a> and significantly lower the barrier to launching serious cyberattacks.<\/span><\/span><\/span><\/span><\/span><\/p>\n

Threat actors are gaining momentum on how quickly they can exploit zero-days<\/a>. In a recent Vulnerability Intelligence Report<\/a>, researchers cited time-to-exploit as being the critical metric for security practitioners. Over the past three years, the time measured between disclosure and known exploitation has decreased steadily, going from 30% of vulnerabilities exploited in the wild within one week in 2020 to 56% found exploited within one day in 2022. Zero-days are most often exploited to provide initial access for ransomware gangs.<\/span><\/span><\/span><\/span><\/span><\/p>\n

Based on new research<\/a>, security defenders have a real race against the clock to patch new vulnerabilities. Researchers have found that threat actors start to perform mass, internet-wide scans for vulnerable endpoints<\/a> within just 15 minutes after a new CVE is disclosed<\/span>. Threat actors consistently monitor vendor bulletins and software update channels for the latest announcements on vulnerabilities and proof of concepts that they can leverage in their next attack. Oftentimes, these fresh vulnerabilities provide them with the capability to perform remote code execution (RCE) and gain access to corporate networks.<\/span><\/span><\/span><\/span><\/span><\/p>\n

As their name suggests, drive-by downloads are stealthy, fast, and often happen before the victim even knows what\u2019s happening. This type of cyberattack is employed by cybercriminals to infect a victim\u2019s device with malware<\/a> without their knowledge or consent. It typically occurs when they visit a compromised website or click on a malicious link embedded in an email or advertisement.<\/span><\/span><\/span><\/span><\/span><\/p>\n

Consider one of the most significant takeaways from Mandiant\u2019s latest M-Trends report<\/a>: The global median dwell time \u2013 the time marking the beginning of an intrusion and the moment it is identified \u2013 is dropping year over year. At a mere 16 days of average dwell time for 2022, this may seem like a positive development as threat actors are spending less time inside a system post-entry. However, skyrocketing counts of ransomware<\/span><\/a> attacks on global businesses give a good indication as to why average dwell times are on the decline.<\/span><\/span><\/span><\/span><\/span><\/p>\n