The First 5 Minutes of a Cyberattack: What Happens, and What to Do
In the early stages of a live cyberattack, time is both your ally and your enemy. The quicker you can identify and contain the attack, the better. But the longer a hacker is in your systems, the greater the likelihood that you’re going to experience a significant breach and potential loss.
“Everyone’s goal in an attack is data exfiltration,” says Open Systems chief cloud officer Paul Keely. “Their first move is to go laterally, their second is to establish permanence, and their third to get data out.
The good news is that generally attackers move slowly on entry. The bad news is that the more caution and patience they exhibit, the less likely you are to notice them. And, they don’t always move cautiously. While In some cases Keely’s seen corporations that were in breach for over a year thanks to a very subtle hack, he’s also seen an oil pipeline attack in the U.S. where attackers were encrypting systems and taking control within minutes of entry.
Increasingly, the problem is “sophisticated unsophisticated” attacks, where the attackers have incredibly powerful tools, built by experts, and operated by pretty much anyone who can use Word or Google via a graphical user interface.
I recently spent some time with Keely to talk about those first few minutes: what happens, and what security teams should do to maximize their chances of quick detection and minimizing both access and damage.
The first thing to implement is multiple layers of defense.
“Ideally what happens in a breach is somebody breaks into one or two doors, but they're held in that environment,” Keely says. “People hate having firewalls on their local machines, but having a firewall on the local machine just makes it really hard for stuff to spread to other areas.”
Too many organizations still have the “castle mentality” … if I'm inside these strong walls, I'm safe. The reality is that just simply isn’t true, and what you want from a cybersecurity perspective is for an attacker who has successfully broken through one set of doors to face another set immediately. Slowing hackers down and forcing them to try to circumvent multiple barriers increases your chances of stopping them in their tracks.
A large portion of that is relatively simple.
Some parts are even easy, at least with the right mentality.
“The best ways to frustrate an attacker are to have just basic cyber hygiene: keep devices up to date and run devices in low privilege, run antivirus, run EDR software on the device, have a firewall, and be using least privilege,” Keely says.
The last part is key to minimizing north-south access to other services and east-west access to other locations when attackers break into a single machine.
One hospital that Keely worked with had domain administrators who were logging into desktops. That means they’ve potentially left Kerberos keys on those devices that would provide exactly what attackers need to go deeper into your systems. The priority is to separate out accounts and not have any “keys to the kingdom” accounts that provide blanket access to multiple systems.
“Domain admins should not have local admin access to any desktops,” Keely says. “It should be a desktop support team who have access to that, and the desktop support team accounts should have no access to any server infrastructure, cloud infrastructure … it’s basic stuff.”
There simply are too many companies where domain admins set up AD Connect and Office 365 and use the same accounts in both, meaning that hackers who get into an on-prem account can then get access to everything on-prem across those environments.
What about after a breach?
Part of the problem when dealing with malware and cybersecurity incidents quickly and decisively is shame, and Keely says that’s ridiculous.
“People in banks aren't embarrassed and ashamed when somebody walks in with a gun and says, give me your money. But when we suffer a cyberattack, there’s this element of ‘somebody was at fault’ or ‘you should be embarrassed about it.”
That’s inherently unfair, Keely says: attackers only have to win once, while defenders have to win every time … while not knowing precisely how they’ll be attacked and where the attack is coming from.
The key is to be prepared in advance to shut down as many attacks as possible, to limit access and damage to those attacks that succeed, and to be able to respond as quickly as possible to anything dangerous. That ability to respond – and your ability to limit the damage – is tied to three questions that you’ll need to be able to answer in the event of a successful attack:
How did they get here?
What did they do?
Where did they go?
Being able to properly answer those questions will help you and any experts you work with to be able to isolate the problem, cleanse machines and data, and recover from any impacts.