You Have Around 20 Minutes To Contain a Russian APT Attack

When a Russian nation-state actor attacks a government or a private organization, they have about 20 minutes to detect and contain the attack. From a report: New statistics published today by US cyber-security firm Crowdstrike ranked threat groups based on their "breakout time." "Breakout time" refers to the time a hacker group takes from gaining initial access to a victim's computer to moving laterally through its network. This includes the time the attacker spends scanning the local network and deploying exploits in order to escalate his access to other nearby computers.

[...] According to data gathered from 2018 hack investigations, CrowdStrike says Russian hackers (which the company calls internally "Bears") have been the most prolific and efficient hacker groups last year, with an average breakout time of 18 minutes and 49 seconds.

20 minutes?

[110010001000]

With enough vodka I do it in 10.

Re:

[Red_Forman]

I can do it in two. /Scrapper-142

Re:

[Archtech]

Nowhere in the article does it say anything about how Crowdstrike are supposed to have identified the attackers. But we do know that the CIA and NSA (to say nothing of other parts of the alphabet soup) have means of disguising their malicious handiwork as that of anyone else they please.

Would anyone like to suggest practical ways in which Crowdstrike could be certain about who is responsible for a given attack?

Re:

[Archtech]

"WHY THE DNC WAS NOT HACKED BY THE RUSSIANS"

William Binney, former Technical Director NSA
Larry Johnson, former State CT and CIA

https://turcopolier.typepad.co... [typepad.com]

Re:

[Anonymous Coward]

What's up with slashdot lately? Russia, Huawei, China, Russia, Huawei, China, Russi, Huawei, China.

'APT' attack?

[Necron69]

I admit I had to Google that one. Stupid article doesn't explain the name at all, and here I was thinking we had some big new Debian/Ubuntu vulnerability.

- Necron69

Re:'APT' attack?

[aaarrrgggh]

While it didn’t register, I was able to come up with Advanced Persistant Threat on my own given the summary.

Re:

[retchdog]

well, shit! look at the brain on aaarrrgggh. you are one smart motherfucker, aaarrrgggh!

apt-get 1998; threat 2006

[tepples]

APT has referred to Debian's package manager since 1998 or thereabouts. The earliest public citation for "advanced persistent threat" I can find in a cursory search is from US Air Force Colonel Greg Rattray in 2006.

Arrogant President Trump

[Anonymous Coward]

Will mock handicapped reporters and tweet insults that make you feel sick

Re:Arrogant President Trump

[tehcyder]

He did not insult a handicapped reporter. He was mocking someone in his speech and, to convey their level of intelligence, made a face and a spastic hand motion. The target of his insult was not handicapped. He's done the same thing many times, at non-handicapped people. There just happened to be a random handicapped reporter attending, and the misconstrueing bagan...

As for insults, he gets as good as he given (except that he's a bit better at making it funny).

At the risk of stating the obvious, making "a face and a spastic hand motion" that equates physical disability with low intelligence is offensive in itself, regardless of who you're talking to.

Re:

[Solandri]

At the risk of stating the obvious, making "a face and a spastic hand motion" that equates physical disability with low intelligence is offensive in itself, regardless of who you're talking to.

So is calling Bush a chimp. I'd have a lot more respect for the left's criticism of Trump's offensive remarks, if they would at least criticize their own for making equally offensive remarks.

It is wrong to make fun of a person for things they have no control over (their appearance, disabilities, race, gender, etc

Re:

[wildfish]

whoooshh .. "and, to convey their level of intelligence, made a face and a spastic hand motion" The insult in your statement here does not require the presence of any particular type of person. The insult is the conflation of certain physical traits with intelligence.

Re:

[Anonymous Coward]

Thats because the article is hand waving pseudo-technical sounding clickbait horse shit to keep this Russia nonsense alive.

Or it could be you're just that ignorant.

APT is a term that has been around for fucking years now, and is well-known within the security community. Calling that "pseudo-technical" clickbait horse shit does nothing but showcase your stupidity. Be thankful they didn't use really advanced terms like "DNS" and "AD" to further confuse you.

Re:

[tomhath]

Which doesn't change the fact that the article really *is* clickbait horse shit to keep this Russia nonsense alive.

Re:

[gweihir]

The NSA is probably outsourcing these attacks not to make them cheaper...

Honeypots

[goombah99]

I've wondered for some time why Honeypots are not a near-universal solution to this. That is, each router can host a bunch of fake servers with real IP addresses on the network then watch for intrusion attempted or real on these fake nodes. You don' t need a lot of horsepower backing the fake nodes since they are not doing anything except mimicking a normal level of net traffic to other computers so it's not a burden on the system or the routers. And if one was worried the hackers could eventually learn to spot these virtual nodes in the routers (perhapsvia hacking the router itself), then one could also sprinkle in a few real computers on the network acting as honey pots.

In any event, any attempt to break in or a successful one on a honey pot, is 100% evidence the network is experiencing lateral intrusions and you just shut it down immediately.

What's the catch?

Re:

[fustakrakich]

What's the catch?

Headlines, drama, intrigue, excitement! We need these stories to keep our eyes on the prize.

Re:

[Shaitan]

"What's the catch?"

Time, effort, resources. This is all very very expensive in all three areas since devs are being used as part-time admins it only gets worse.

Re:

[N1AK]

I can't help but think there will be some obvious answer, but for once this is a suggestion on Slashdot that does seem to make quite a lot of sense. You can put a lot of security in place, but a lot of the escalated response steps are often manual. If my firewall IPS detects something it can stop that traffic, but a larger response would need to be triggered by an employee and we don't have a24/7 IT Ops desk so it could be 10+ hours between the first IPS and someone acting. If you're typical attack happens

Re:Honeypots

[jbmartin6]

It's not quite so simple. From what I've seen in pen tests and attacks, fake network nodes are not effective. Attackers aren't blindly flailing around breaking into whatever host they find. They are following various bits of information which they find on each link in the chain. Either by examining domain structures, local documents on a workstations, and the like. At least you would have to add your honeypots to AD or other information sources so attackers would find them, then tune out all the noise from legitimate tools and processes which try to access your honeypots for network inventory, vulnerability scans, host management, etc. Deception as a defense strategy is not a bad idea, it just takes some thought to put it where attackers are likely to find it but legitimate process or curious users don't stumble across it. Meanwhile, AD and system admins are cautious about injecting anomalous data into their babies.

Some folks are using virtual infrastructure to place fake workstations around, so that attackers in the early 'get any Windows credential hash and see where it leads' can trip across them and set off alarms. This is aimed at tools like Responder and the like which try to get other nodes to send them an authentication exchange. One thing that should exist, and AFAIK does not, is a way to add well disguised fake credentials to the local Windows system, since that is usually the first place an attacker will look once they gain their foothold. Their are commercial tools which will do this, for a price, but no reliable way to make a convincing decoy on the cheap.

Re:

[ctilsie242]

The catch is that you need manpower to actually have someone look at the honeypots, declare there is an attack in progress, and start disconnecting stuff. However, in most IT environments, not many employees will actually do so unless they have 100% evidence to do so, for fear they will be fired for crying wolf. In fact, IT people may get fired regardless of catching the attack in progress because "it happened on their watch."

For a small startup with C-level people, this would work and even provide some e

Bullshit

[gweihir]

They have a few years actually building secure infrastructure instead of the insecure crap most have in place. If you are not prepared, even advanced script-kiddies can get in.

You don't have 20m

[guruevi]

Once you've been breached you're at least 2-3 years too late to contain the issue. These "nation states" hackers typically aren't the best in the field. They get in through inept security IT people above all else.

These companies have something to sell you - containment is a poor security strategy but sadly most companies won't invest until something happens so containment is their only strategy.

Re:

[Freischutz]

Once you've been breached you're at least 2-3 years too late to contain the issue. These "nation states" hackers typically aren't the best in the field. They get in through inept security IT people above all else.

Seems to me then that they are exploiting the biggest un-patched vulnerability in the system. That is not a sign of lacking skill, it is a sign of intelligence. You don't launch a frontal assault on the city walls thorough a hailstorm of arrows and cannon balls when you can sneak in through the sewers and surprise the defenders. What the Russians have done is send their intelligence services after best criminal hackers and confront them with a choice, either they drop everything and go to work for the intel

Re:

[mlyle]

Oh, come on. The personnel may be uneven, but nation states both have very, very nasty toolkits to assist spread, concealment, and information extraction... and they buy zero-days.

An initial foothold on the network can only be prevented by A) inability to be exploited by undisclosed exploits and B) perfect end-user practices to not inadvertently cooperate with attackers. Otherwise, we're in the scenario described above.

Re:

[gmuslera]

It would be Elephant instead, even if you don't see it in the room.

Re:

[Archtech]

I want to know where USA falls on their list.

It isn't on their list - of course. Americans would never do anything bad or harmful.

Re:

[tepples]

It's pretty hard to avoid Azure or GitHub if you work in computer software.

Poppycock

[jbmartin6]

Well, Crowdstrike sells endpoint detection and response software, so the claim has to be taken with a grain of salt. But the real problem lies here:

"Breakout time" refers to the time a hacker group takes from gaining initial access to a victim's computer to moving laterally through its network...The "breakout" metric is crucial for organizations, as this is the time they have to detect infections and isolate hacked computers before a simple intrusion turns into a compromise of its entire network.

Getting lateral movement is just one of the early steps in the chain, not the game over moment. Nor does it mean 'the entire network' is compromised. Attacker still has to locate what they need on the network and then get access to it, and then exfiltrate it (for stealing data) or break it. In other words, you still have a lot more than 20 minutes to detect and

Let's make this about me, OK?

[CaptainDork]

Mobil Oil, ca. 1986. We had a fractional T1 connecting Beaumont, Dallas and Reston, Va.

I was senior network engineer in Beaumont. Got a call from Dallas that a hacker* was crawling all over the place.

I pulled the Ethernet cable on my Cisco router while I was on the phone.

Reston started calling, freaking out. It never occurred to the other blokes that bad guys ride wires.

*The hacker was actually a Joe Cool Kollidge Kid working for us who hooked Mobil to Lamar University in Beaumont to his home computer.

Ah, the learning days. I miss those.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Archtech]

As Caitlin Johnstone lucidly explains, when it comes to propaganda facts count for nothing - what you need is a good hot exciting story.

https://caitlinjohnstone.com/2... [caitlinjohnstone.com]

Re:

[account_deleted]

Comment removed based on user account deletion

ORLY 2

[jf_moreira]

Assuming you know **it about it.

US, China Internet attack legitimize Russian APT.

[dweller_below]

The US has been attacking multiple countries via the Internet for years. We did it first. We did it best. Yay US. Years ago, our doctrine was that Internet attack was a favorable option, because it had less unfortunate consequences than physical attack. But now, Internet can be much more devastating that physical attack. And the US has the most to lose in Internet attack.

The US economy is totally dependent on the Internet. Internet attack can cripple or destroy us. We can no longer afford to legitimize Internet attack. The past aggressive internet attacks by the US, China and Russia have legitimized Internet attack for all the remaining governments. EVERYBODY who has anything valuable, now gets a chance to receive targetted, remote attack by several governments, PLUS targetted attack by the many organized crime groups.

The US must formally cease undeclared war via the Internet. We must work with all other governments to ensure that we ALL stop waging undeclared war via the Internet.

Re:

[_merlin]

Nice sentiment, but the cat's out of the bag and you can't put the genie back in the bottle. Welcome to the brave new world where you have to assume anything connected to the Internet will be attacked, whether it's by your own government, another government, a competing business, a black hat, or kids doing it for the lulz. Yeah, I miss the old, friendly Internet as much as anyone, where we could run recursing DNS servers, open mail relays, TCP small services, and unencrypted web servers. But it hasn't ex

Re:

[CAOgdin]

I can understand why you're an Anonymous Coward! Your politics are upside-down!

Re:

[liquid_schwartz]

Nobody "stole" any elections. Hillary (It's Her Turn) Clinton lost in the same way as she lost to Obama, by being Hillary. If she's the best the Democrat party can deliver, the Democrat party will be out of office even if Drumpf resigns and is imprisoned.

Of course, this time the Democrat party can try with Pocahontas...

They know this, thus the push for importing millions of people illegally then making them voters. If you can drown out the actual citizens with a loyal constituency then you win. It will destroy the country and wreck standards of living but hey, you can't make an omelette without breaking a few eggs.

Re:

[CAOgdin]

Um...er....She Actually WON the voters' preference in the Election. It was the Electoral College that reversed that outcome! It's an anachronistic outrage that smaller-population states refuse to challenge, even in light of the Internet...which wasn't even a dream when the E.C. originally rode horseback to their Washington, D.C. meetings.

It needs to be abolished as archaic and unfair to voters. It's one of the reasons some adults refuse to vote...because their vote can be overridden by selected politicia

Re:

[sarren1901]

The whole idea behind the E.C. was to ensure a few big cities didn't decide who the President would be every four years.

If we really want to talk about how unfair the E.C. is, we can talk about how most states are winner take all. So you get 51% of the vote in a given state and you get EVERYTHING. It's one of numerous reasons why people would like to break up California and Texas as well.

The popular vote would change that but then the politicians would change how they run for office. If they knew it was pop