Story image

The 475-day siege: APAC firms' breach detection times are getting worse

05 Apr 2018

Despite increasing security investments, increasing awareness, and increasing security breaches, it is taking Asia Pacific organisations more than a year to detect cyber threats - the longest of any region in the world.

The shocking statistics from FireEye’s M-Trends 2018 report show APAC organisations have gotten worse at detecting breaches – in 2016 the average time to detection was 172 days, but that has now tripled to a median of 498 days.

The huge change in numbers suggest that attackers targeting APAC firms are able to maintain access to compromised organisations for far too long.

The maximum observed dwell time in an APAC firm reached 2085 days, or almost six years. 

“Unfortunately, if you’ve been breached, our statistics show that you are much more likely to be attacked and suffer another breach. If you have not taken steps to enhance your security posture, you are taking a significant risk,” the report says.

APAC organisations also typically found out about threats via their own internal sources (57%), rather than via external notifications (43%).

Organisations in the Americas, and to some extent those in EMEA are more adept at detecting threats. In the Americas, the median dwell time dropped from 99 days to 75.5 days between 2016 and 2017.

In EMEA, however, the median dwell time increased from 106 days to 175 days between 2016 and 2017.

The report goes on to say once an organisation becomes a target, it is likely they will be attacked again. Globally, 49% of customers that experienced one significant attacked were successfully attacked again within one year.

 Asia Pacific organisations are twice as likely to experience multiple incidents from multiple attackers compared to those in EMEA and North America.

91% of APAC respondents that had experienced one significant attack expect more attack activity in the next year. Of those, 82% believe multiple attackers will be identified over the life of their service.

The report details a case study that involved a large company in Asia that was targeted through Remote Desktop Protocol.

“The breach was identified through the discovery of an unauthorized database administrator account on a billing database server.

“The company’s internal investigation uncovered unauthorised RDP logons by a local administrator account to a legacy web server. The attacker then connected to and tunnelled connections through an intermediary system in the client environment.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.”

The attacker apparently installed a number of backdoors, keyloggers, and network traffic tunnellers, including Gh0stTAT, and the China Chopper web shell.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.”

The report also looks at red teaming and how the cybersecurity skills gap affects organisations.

FireEye says there are a number of takeaways from the report, including best practices such as data segregation, data protection, and network segmentation.

“We encourage organisations to hold incident response tabletop exercises to simulate typical intrusion scenarios. These exercises help expose participants – notably executives, legal personnel and other staff – to incident response processes and concepts. Additionally, organisations may want to consider partnering with professionals that specialise in defending against threats specific to the business.”

“Defenders have to get it right every single time, while threat actors only need to get it right once.”

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.