Speed defines both the success of the defender and the attacker.
This year has already proven to be an active year for cybersecurity policy on Capitol Hill. In the first 90 days of the year, there have been dozens of bills introduced by Congress. The majority of these bills urge government agencies to prioritize cybersecurity by adopting innovative practices aimed at securing sensitive networks, while others bring legislative action to emerging technologies.
While many of these proposals are admirable and include credible suggestions, few acknowledge the most essential concept in cyber: speed. Cybersecurity is a domain driven by speed and resilience in the face of an adversary. Speed defines both the success of the defender and the attacker. And, as the number of devices connecting to government networks continues to increase exponentially, the number of new infiltration and exfiltration points multiplies, making speed to detect intruders even more crucial.
To combat the quickness of sophisticated adversaries, CrowdStrike recommends following the 1-10-60 rule, which is guidance for what it takes to defeat adversaries: one minute to detect, ten minutes to investigate, and one hour to remediate. CrowdStrike Co-founder and Chief Technology Officer Dmitri Alperovitch testified before the Senate Armed Services Committee’s Subcommittee on Cybersecurity at the end of 2018 and focused heavily on both the importance of the 1-10-60 rule and adversary breakout time.
Last year, CrowdStrike conceptualized breakout time to illustrate adversarial behavior on the network. Breakout time is the time it takes an intruder to begin moving laterally onto other systems beyond the initial “beachhead” they’ve established within a network. It’s the ideal metric for tracking an adversary’s quality of operational tradecraft because it encompasses the pace at which they operate as well as the sophistication of the tactics used. In 2018, the average breakout time clocked in at just 1 hour and 58 minutes. That’s less than two hours from event zero of an incident to when the adversary has conducted material damage.
The CrowdStrike 2019 Global Threat Report, “Adversary Tradecraft and the Importance of Speed,” clearly showcases that adversaries are getting faster and smarter. CrowdStrike’s research shows that state-sponsored adversaries out of Russia are almost eight times faster, on average, than their nearest competitor, while North Korean-based threat actors were on average almost twice as fast as Chinese state-sponsored adversaries. The pace at which these adversaries are operating has not demonstrated any signs of slowing down, nor is the size or scope of their attacks diminishing in any way. Measuring adversarial breakout time illustrates the critical role speed plays in staying ahead of rapidly evolving threats. If one thing is clear, government agencies must be faster. By leveraging innovative tools and technology and by adapting to the latest techniques and processes, government operators will be more effective in their mission to stay one step ahead of the adversary.
Fully tracking adversaries and their breakout times means also tracking organization’s speed to detect, investigate and remediate. This is crucial to mounting an effective defense. In adopting this approach to cybersecurity, the importance of speed in security operations is elevated, ultimately uncovering performance gaps and simplifying oversight measures. The result will be stronger accountability to defeat even the most sophisticated and agile adversaries.
It is not a matter of preventing the initial compromise—this is a known impossibility. It is a matter of getting a handle on speed and setting a high standard of accountability when it comes to ejecting adversaries and remediating threats. Once an attacker is in a system, history has proven that what began as a minor security event will likely turn into a full breach, requiring a lengthy and complex incident response effort. We’ve seen this scenario repeated time and again in government networks. While policy steps are an important piece to the puzzle, government and commercial enterprises must adopt proven strategies that apply expert-level precision in taking real steps to gain the edge on speed.
James Yeager is vice president of Public Sector and Healthcare for CrowdStrike.