Cyberattacks have shifted from the usual smash-and-grab type of heists to stealthier campaigns where hackers silently camp out on networks for long periods, stealing anything they can get their hands on. Called attacker dwell time, this is part of an adversarial approach that has become even more popular with hackers when it comes to 2021 ransomware attacks and data breaches.
Consider recent ransomware attacks by cybergangs Ryuk and Maze, where adversaries lurked in the datacenter shadows and within endpoint crevices – collecting counterintelligence, stealing credentials and pushing malware laterally. Only after pilfering all of a company’s digital goods did criminals finally encrypt files and demand a ransom, in what’s become an increasingly common “double extortion” attack.
According to a recent SANS Institute survey, 14 percent of firms indicate that the time between compromise and detection is between one to six months. Of those that detected an intrusion, nearly 10 percent said it took up to three months to contain it and toss the cybercriminals out.
Combating Dwell Time with EDR
Even one day is too many when it comes to adversaries camping out on your network, but rooting them out can be tough for resource-strapped firms on a tight budget. That’s why there’s been an increased focus on automating threat detection and hunting down malware hiding out on organization networks (including never-before-seen threats), using solutions such as advanced endpoint detection and response (EDR) platforms.
A study by Kaspersky found that 28 percent of companies that implemented EDR solutions were able to cut dwell time to hours or less.
While EDR has been a staple for security teams for more than a decade, it’s relatively new for small to mid-sized organizations to find themselves needing to bolster their security operations center with 24/7 monitoring.
Michael Suby, vice president of research at IDC, notes in a recent report that businesses are increasingly facing more sophisticated and aggressive attacks. That has pushed security teams to implement more proactive protection and adopt solutions like EDR that can respond to new and unknown threats quickly, he said.
Onslaught of Attacks Spur EDR Adoption
This shift from loud attacks to stealth intruders is pushing defenders to also change tactics – slightly – from focusing on perimeter defenses to bolstering EDR and internal threat hunting.
Stealth hackers lurking inside network endpoints have been fixtures in recent firmware exploits, Active Directory attacks and the ongoing SolarWinds-related breaches.
Compounding the defenders’ urgency is a sharp uptick in not only cyberattacks, but also novel malware variants, say researchers.
“Sophisticated malware is the new weapon of choice for criminals and nation-states,” according to a separate SANS Institute report. “The evolution of threats such as file-less malware, ransomware, zero days and advanced malware, combined with security tools getting bypassed, poses an extensional risk to enterprises,” according to the report.
Even though malware attacks are trending down overall in volume, variants are growing more sophisticated and targets more diverse. The FBI noted in a February report that the 7-year-old Emotet malware has remained a potent adversary over the years.
“The Emotet malware has evolved substantially since it was first observed by industry,” wrote special agent Jessica Nye, the cyber squad supervisor with the FBI. “It became increasingly stealthy in its ability to gain access to your computer, which then opened the door to additional malware.”
EDR can help identify even unknown threats in real-time by using behavioral analysis coupled with user and network fingerprinting. With this data, EDR can detect and report on potentially malicious activity. And, by correlating timelines and using advanced algorithms, EDR helps security teams work backwards to determine likely breach points.
Right-Sizing Security Teams
Challenges persist for many resource-strapped organizations, which may have security staff but little-to-no security operations centers (SoCs). But detecting long-dwelling attackers demands 24/7 monitoring of networks, especially in the age of remote working.
“In the past year, the typical enterprise has been turned inside out,” said Peter Firstbrook, vice president and analyst at Gartner. “As the new normal takes shape, all organizations will need an always-connected defensive posture, and clarity on what business risks [are elevated by] remote users.”
EDR allows businesses to bolster defenses with real-time visibility across all your endpoints. It allows security teams to view adversary activities, even as they attempt to breach your environment.
Kaspersky Optimum Security: Optimizing Your Defenses
Advanced EDR is at the heart of Kaspersky’s cyber-defense solution, which is named Kaspersky Optimum Security. The solution takes a fresh and innovative approach to addressing dwell-time security challenges and automated network threat hunting without busting budgets.
Kaspersky Optimum Security features automated threat hunting, root cause analysis and threat visibility via a single cloud console, which can give smaller teams SoC-like monitoring capability.
Aimed at resource-challenged IT security teams that manage small-to-midsize infrastructures, there are three pillars of unified protection offered with Kaspersky Optimum Security:
- Endpoint Protection is about protecting endpoints, servers and gateways – the most common of entry points and hiding spots for adversaries.
- Threat Hunting includes the proactive pursuit of network and device threats that may be lying undiscovered and still active within corporate infrastructures.
- Advanced EDR includes automated services and a single cloud-enabled dashboard – giving SMB security teams a solid ROI.
Learn more about Kaspersky’s Optimum Security bundle and how it can minimize risk with fast, scalable and turnkey EDR. With this unified product suite, teams are able to automate routine tasks while avoiding additional overhead on IT security resources.
