sb-au logo
Story image

The 475-day siege: APAC firms' breach detection times are getting worse

05 Apr 2018

Despite increasing security investments, increasing awareness, and increasing security breaches, it is taking Asia Pacific organisations more than a year to detect cyber threats - the longest of any region in the world.

The shocking statistics from FireEye’s M-Trends 2018 report show APAC organisations have gotten worse at detecting breaches – in 2016 the average time to detection was 172 days, but that has now tripled to a median of 498 days.

The huge change in numbers suggest that attackers targeting APAC firms are able to maintain access to compromised organisations for far too long.

The maximum observed dwell time in an APAC firm reached 2085 days, or almost six years. 

“Unfortunately, if you’ve been breached, our statistics show that you are much more likely to be attacked and suffer another breach. If you have not taken steps to enhance your security posture, you are taking a significant risk,” the report says.

APAC organisations also typically found out about threats via their own internal sources (57%), rather than via external notifications (43%).

Organisations in the Americas, and to some extent those in EMEA are more adept at detecting threats. In the Americas, the median dwell time dropped from 99 days to 75.5 days between 2016 and 2017.

In EMEA, however, the median dwell time increased from 106 days to 175 days between 2016 and 2017.

The report goes on to say once an organisation becomes a target, it is likely they will be attacked again. Globally, 49% of customers that experienced one significant attacked were successfully attacked again within one year.

 Asia Pacific organisations are twice as likely to experience multiple incidents from multiple attackers compared to those in EMEA and North America.

91% of APAC respondents that had experienced one significant attack expect more attack activity in the next year. Of those, 82% believe multiple attackers will be identified over the life of their service.

The report details a case study that involved a large company in Asia that was targeted through Remote Desktop Protocol.

“The breach was identified through the discovery of an unauthorized database administrator account on a billing database server.

“The company’s internal investigation uncovered unauthorised RDP logons by a local administrator account to a legacy web server. The attacker then connected to and tunnelled connections through an intermediary system in the client environment.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.”

The attacker apparently installed a number of backdoors, keyloggers, and network traffic tunnellers, including Gh0stTAT, and the China Chopper web shell.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.”

The report also looks at red teaming and how the cybersecurity skills gap affects organisations.

FireEye says there are a number of takeaways from the report, including best practices such as data segregation, data protection, and network segmentation.

“We encourage organisations to hold incident response tabletop exercises to simulate typical intrusion scenarios. These exercises help expose participants – notably executives, legal personnel and other staff – to incident response processes and concepts. Additionally, organisations may want to consider partnering with professionals that specialise in defending against threats specific to the business.”

“Defenders have to get it right every single time, while threat actors only need to get it right once.”

Story image
Spending on managed security services in A/NZ to grow despite COVID headwinds
COVID-19 has changed security priorities significantly, and managed security services in A/NZ are set to benefit. More
Story image
Acronis announces new security endpoint solution
The solution is an integration of data protection and cybersecurity which provides customers with effective endpoint protection in a landscape where the pointlessness of perimeter security is becoming more pronounced.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Link image
Webcast series: The necessary tools to secure a remote workforce
Experts from across the A/NZ region discuss the best security practices in a remote working world - with sessions available on the first Thursday of every month.More
Story image
Strong cybersecurity posture crucial for company success - Fortinet
"They should also conduct due diligence to ensure partners aren’t inadvertently creating vulnerabilities with insufficient cybersecurity measures."More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More