‘They’re here,’ said the little girl from Poltergeist.
She was right of course; and if she could see inside today’s company networks, she’d be right again.
Cyber criminals are getting better at sneaking past security defences un-noticed, then staying for days, weeks and even months while they prepare to exfiltrate valuable data and IP.
This week Citrix – a global provider of technology networking equipment and software to Fortune 500 companies – revealed that ‘international cyber criminals’ had been roaming around its own corporate network for half a year.
The hack was initially attributed to an Iranian-backed group, but that’s been questioned since. Instead of espionage the motivation now seems to have been theft of intellectual property or information relevant to stock valuations.
Initially the company said hackers stole business documents. This week it’s said that the stolen information may also have included personal data, including social security numbers and financial information.
You might think that a rock-solid, multi-billion-pound networking tech company that’s been trading since 1989 would know if someone was camping on its own network. But you’d be wrong. They were first informed of the hack by the FBI.
Ghouls spooking around IT infrastructure have become today’s ghost in the telly, capable of finding their way into seemingly secure environments, then staying there ‘til someone sees static on their screen.
Once a cybercriminal has breached defences and feels confident that they haven’t been detected, they start a series of lateral movements on the network to gain access to sensitive data.
Moving laterally means between going between servers, endpoints and applications on the network in order to map the system, identify targets, and eventually get to the organisation’s ‘crown jewels’.
If the attacker is able to secure administrative privileges, those lateral movements can be very hard to detect, looking at first glance like normal network traffic.
Even when cyber defences do detect that something might be amiss, IT teams are often inundated with system alerts – many of them false positives – and may not have the time or resources to investigate properly.
An expensive game of hide & seek
Studies show that the average breach today can take 5-6 months before being properly identified
Security vendor FireEye’s Mandiant 2019 M-Trends report found that for breaches detected infernally, attackers had already been inside the network for an average of 50.5 days. When an organisation was tipped off by an external source (as Citrix was), attackers had already been inside for 184 days on average – just over six months.
The time it takes to detect a breach has an immediate impact on cost. An IBM/Ponemon Institute study of the cost of data breaches calculates that organisations able to contain a breach in less than 30 days saved over $1 million (USD) over those that took more than 30 days.
The people factor
As we noted in yesterday’s post, no matter how clever cyber thieves become, they often need a little help from human nature.
In Citrix’s case, weak password security was partly responsible for letting the hackers in. They used a technique called ‘password spraying’ to hit multiple user accounts with common userid and password combinations. Once a few accounts has been cracked, the hackers used the foothold to launch other techniques that give them admin-level permissions.
When the Triton malware first started affecting systems at a Saudi oil refinery in 2017, managers assumed it was a standard mechanical glitch. It triggered a safety system alarm that brought the plant to a standstill. Then two months later, other systems were tripped, causing another shutdown. It took three-months of inexplicable system behaviour before plant managers decided to bring in IT consultants and investigate.
Seeing ghosts in the machines
As good as they are at covering their tracks, hackers do leave a few virtual breadcrumbs and sweet wrappers behind when they alter settings and change permissions.
IT teams are using more AI and SIEM tools to better triage and analyse system alerts. Employees can also play a stronger role in spotting a hacker’s trail by flagging weird or unexpected behaviour when they see it on company systems.
The Citrix hack tells us that organisations in every sector of the economy need more than the latest kit to detect breaches. Employees in and out of the IT department need to be more empowered with cybersecurity awareness.
The signs of an attack on an organisation’s network are often directly observable, or detectable when people know how to recognise them.
The best security systems in the world are both susceptible to human error and improvable with human agency. With better training and education, staff can act as a company’s early warning system for breaches, and avoid becoming the source of a breach themselves.
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.