Story image

The 475-day siege: APAC firms' breach detection times are getting worse

05 Apr 2018

Despite increasing security investments, increasing awareness, and increasing security breaches, it is taking Asia Pacific organisations more than a year to detect cyber threats - the longest of any region in the world.

The shocking statistics from FireEye’s M-Trends 2018 report show APAC organisations have gotten worse at detecting breaches – in 2016 the average time to detection was 172 days, but that has now tripled to a median of 498 days.

The huge change in numbers suggest that attackers targeting APAC firms are able to maintain access to compromised organisations for far too long.

The maximum observed dwell time in an APAC firm reached 2085 days, or almost six years. 

“Unfortunately, if you’ve been breached, our statistics show that you are much more likely to be attacked and suffer another breach. If you have not taken steps to enhance your security posture, you are taking a significant risk,” the report says.

APAC organisations also typically found out about threats via their own internal sources (57%), rather than via external notifications (43%).

Organisations in the Americas, and to some extent those in EMEA are more adept at detecting threats. In the Americas, the median dwell time dropped from 99 days to 75.5 days between 2016 and 2017.

In EMEA, however, the median dwell time increased from 106 days to 175 days between 2016 and 2017.

The report goes on to say once an organisation becomes a target, it is likely they will be attacked again. Globally, 49% of customers that experienced one significant attacked were successfully attacked again within one year.

 Asia Pacific organisations are twice as likely to experience multiple incidents from multiple attackers compared to those in EMEA and North America.

91% of APAC respondents that had experienced one significant attack expect more attack activity in the next year. Of those, 82% believe multiple attackers will be identified over the life of their service.

The report details a case study that involved a large company in Asia that was targeted through Remote Desktop Protocol.

“The breach was identified through the discovery of an unauthorized database administrator account on a billing database server.

“The company’s internal investigation uncovered unauthorised RDP logons by a local administrator account to a legacy web server. The attacker then connected to and tunnelled connections through an intermediary system in the client environment.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.”

The attacker apparently installed a number of backdoors, keyloggers, and network traffic tunnellers, including Gh0stTAT, and the China Chopper web shell.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.”

The report also looks at red teaming and how the cybersecurity skills gap affects organisations.

FireEye says there are a number of takeaways from the report, including best practices such as data segregation, data protection, and network segmentation.

“We encourage organisations to hold incident response tabletop exercises to simulate typical intrusion scenarios. These exercises help expose participants – notably executives, legal personnel and other staff – to incident response processes and concepts. Additionally, organisations may want to consider partnering with professionals that specialise in defending against threats specific to the business.”

“Defenders have to get it right every single time, while threat actors only need to get it right once.”

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."