Tag Archives: Dwell time

Security News for the Week Ending May 13, 2022

Chinese Sponsored OPERATION CUCKOOBEES Active for Many Years

Researchers with cybersecurity firm Cybereason briefed the FBI and Justice Department as early as 2019 about Operation CuckooBees, an alleged espionage effort by Chinese state-sponsored hackers (named Winnti or APT41) to steal proprietary information from dozens of global defense, energy, biotech, aerospace and pharmaceutical companies. The companies compromised include some of the largest companies in North America, Europe and Asia. These attacks go back to at least 2019 and they have stolen intellectual property, R&D, diagrams of fighter jets, helicopters, missiles and more. Credit: The Record

Spain’s Spy Chief Fired After News She Hacked Spanish Politicians

I guess they don’t like it when you use the laws they created against them. It doesn’t appear that she did anything illegal. Got a court order and everything. But, it was them she was spying against. The other problem she had was that there were dozens of other government officials who were also spied on, but it is not clear by whom. That includes the PM and Defense Minister. Their phones were declared spyware-free – but were not. Credit: Security Week

EU Proposes to Kill Child Abuse by Killing Privacy

The challenge of curbing kiddie porn, sometimes referred to by the more polite term child sexual abuse material (CSAM), is hard. End-to-end encryption makes that even harder. One current EU proposal would require companies to scan all communications, meaning that end-to-end encryption would be banned. It won’t technically be banned, it would just be impossible to allow and comply with the proposed regulations. The stupid pedophiles might be caught by this, but the smart ones would just encrypt the material before it is uploaded or use other methods. If we have learned one thing over the years is that bad guys adapt much more quickly than the law does. Of course, that material might stand out, but if they intentionally create a lot of chaff to hide what they are doing, it might not. A Botnet could create terabytes of encrypted garbage in no time, making the carriers’ job impossible. It also requires that providers read the text of every message and email, looking for signs of prohibited content. Credit: The Register

Colorado’s CBI Warns of Fraudulent Real Estate Transactions

My guess is that this is not limited to Colorado and this is not really a new scam, but the CBI says it is quickly ramping up. The scam is that a supposed out-of-state seller wants to sell a property, either with a house or vacant land, that currently doesn’t have a mortgage. The fraudster impersonates the owner looking for a buyer that wants a quick close. The whole transaction is being done remotely by mail with a fraudulent deed. Do your due diligence whether you are an agent or a buyer. Credit: CBI and Land Title Association

Mandiant Says Hackers Are Dwelling Inside for Fewer Days

Security firm Mandiant (soon to be part of Google) says that the number of days that hackers are lurking inside your systems continues to decrease. The time now stands at just 21 days. This is likely because hackers are worried about being detected before they can detonate their attack as companies and governments get more serious about fighting crime. That means you don’t have as much time to detect the bad actors. Are you prepared? Credit: Data Breach Today

Better, but not Good Enough

There is a term in the cyber security world called dwell time.  Dwell time is the amount of time between the time an attacker breaks in and the good guys figure that out.

In 2011 the average dwell time was over 400 days.  According to a just released Mandiant report, that number is now only 100 days.

Over half of the attacks are discovered by the the company that was hacked, but more than a third of the attacks are still discovered by outsiders like the police.

Compare that 100 days to this.  Verizon says that the time from the first attacker action to compromise is measured in seconds.  Or, maybe, in minutes.  That gives the attacks 99 days and change to laugh.

Information for this post came from Dark Reading.

Given this insane difference between the time to compromise and the time to be discovered, what should you be doing.

First, the amount of auditing or logging that companies do needs to increase dramatically.  If you are not auditing the right events then you cannot detect attacks.

Second, there needs to be an effective alerting process.  Effective means not too much.  Not too little.  Like Goldilocks, just right – but if you have to err, unfortunately, err on the side of too much.

Once those alerts are created, there needs to be an effective response plan.  There are plenty of situations were alerts are generated and then ignored or even unseen.

It is not a simple problem, but it is possible.  If we have cut the dwell time from 400 days to 100 days, can we cut it from 100 to 25?  Or less.  Improvement is incremental.