SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The 475-day siege: APAC firms' breach detection times are getting worse
Thu, 5th Apr 2018
FYI, this story is more than a year old

Despite increasing security investments, increasing awareness, and increasing security breaches, it is taking Asia Pacific organisations more than a year to detect cyber threats - the longest of any region in the world.

The shocking statistics from FireEye's M-Trends 2018 report show APAC organisations have gotten worse at detecting breaches – in 2016 the average time to detection was 172 days, but that has now tripled to a median of 498 days.

The huge change in numbers suggest that attackers targeting APAC firms are able to maintain access to compromised organisations for far too long.

The maximum observed dwell time in an APAC firm reached 2085 days, or almost six years.

“Unfortunately, if you've been breached, our statistics show that you are much more likely to be attacked and suffer another breach. If you have not taken steps to enhance your security posture, you are taking a significant risk,” the report says.

APAC organisations also typically found out about threats via their own internal sources (57%), rather than via external notifications (43%).

Organisations in the Americas, and to some extent those in EMEA are more adept at detecting threats. In the Americas, the median dwell time dropped from 99 days to 75.5 days between 2016 and 2017.

In EMEA, however, the median dwell time increased from 106 days to 175 days between 2016 and 2017.

The report goes on to say once an organisation becomes a target, it is likely they will be attacked again. Globally, 49% of customers that experienced one significant attacked were successfully attacked again within one year.

 Asia Pacific organisations are twice as likely to experience multiple incidents from multiple attackers compared to those in EMEA and North America.

91% of APAC respondents that had experienced one significant attack expect more attack activity in the next year. Of those, 82% believe multiple attackers will be identified over the life of their service.

The report details a case study that involved a large company in Asia that was targeted through Remote Desktop Protocol.

“The breach was identified through the discovery of an unauthorized database administrator account on a billing database server.

“The company's internal investigation uncovered unauthorised RDP logons by a local administrator account to a legacy web server. The attacker then connected to and tunnelled connections through an intermediary system in the client environment.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.

The attacker apparently installed a number of backdoors, keyloggers, and network traffic tunnellers, including Gh0stTAT, and the China Chopper web shell.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.

The report also looks at red teaming and how the cybersecurity skills gap affects organisations.

FireEye says there are a number of takeaways from the report, including best practices such as data segregation, data protection, and network segmentation.

“We encourage organisations to hold incident response tabletop exercises to simulate typical intrusion scenarios. These exercises help expose participants – notably executives, legal personnel and other staff – to incident response processes and concepts. Additionally, organisations may want to consider partnering with professionals that specialise in defending against threats specific to the business.

“Defenders have to get it right every single time, while threat actors only need to get it right once.