sb-nz logo
Story image

The 475-day siege: APAC firms' breach detection times are getting worse

05 Apr 2018

Despite increasing security investments, increasing awareness, and increasing security breaches, it is taking Asia Pacific organisations more than a year to detect cyber threats - the longest of any region in the world.

The shocking statistics from FireEye’s M-Trends 2018 report show APAC organisations have gotten worse at detecting breaches – in 2016 the average time to detection was 172 days, but that has now tripled to a median of 498 days.

The huge change in numbers suggest that attackers targeting APAC firms are able to maintain access to compromised organisations for far too long.

The maximum observed dwell time in an APAC firm reached 2085 days, or almost six years. 

“Unfortunately, if you’ve been breached, our statistics show that you are much more likely to be attacked and suffer another breach. If you have not taken steps to enhance your security posture, you are taking a significant risk,” the report says.

APAC organisations also typically found out about threats via their own internal sources (57%), rather than via external notifications (43%).

Organisations in the Americas, and to some extent those in EMEA are more adept at detecting threats. In the Americas, the median dwell time dropped from 99 days to 75.5 days between 2016 and 2017.

In EMEA, however, the median dwell time increased from 106 days to 175 days between 2016 and 2017.

The report goes on to say once an organisation becomes a target, it is likely they will be attacked again. Globally, 49% of customers that experienced one significant attacked were successfully attacked again within one year.

 Asia Pacific organisations are twice as likely to experience multiple incidents from multiple attackers compared to those in EMEA and North America.

91% of APAC respondents that had experienced one significant attack expect more attack activity in the next year. Of those, 82% believe multiple attackers will be identified over the life of their service.

The report details a case study that involved a large company in Asia that was targeted through Remote Desktop Protocol.

“The breach was identified through the discovery of an unauthorized database administrator account on a billing database server.

“The company’s internal investigation uncovered unauthorised RDP logons by a local administrator account to a legacy web server. The attacker then connected to and tunnelled connections through an intermediary system in the client environment.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.”

The attacker apparently installed a number of backdoors, keyloggers, and network traffic tunnellers, including Gh0stTAT, and the China Chopper web shell.

“From the intermediary system, the attacker was able to access a database server using a separate database administrator account. The client quickly identified and decommissioned the web server and other legacy systems and changed the password of accounts used by the attacker.”

The report also looks at red teaming and how the cybersecurity skills gap affects organisations.

FireEye says there are a number of takeaways from the report, including best practices such as data segregation, data protection, and network segmentation.

“We encourage organisations to hold incident response tabletop exercises to simulate typical intrusion scenarios. These exercises help expose participants – notably executives, legal personnel and other staff – to incident response processes and concepts. Additionally, organisations may want to consider partnering with professionals that specialise in defending against threats specific to the business.”

“Defenders have to get it right every single time, while threat actors only need to get it right once.”

Story image
IDC names ESET a Major Player second year running
“ESET is strong in the areas of threat research, especially around Android malware identification and behavior detection.”More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More
Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
NCSC prevents $70m harm against NZ's nationally significant organisations
New Zealand’s nationally significant organisations have faced at least 352 cyber incidents in the 2019/2020 year, but the dangers are far from over.More
Story image
Trend Micro integrates with AWS Network Firewall
As a Launch Partner, Trend Micro has integrated managed threat intelligence feeds from its cloud security solution to enable superior protection in line with this new AWS managed firewall service.More
Story image
Kaspersky unveils two major update to its Transparency Initiative
The company has announced the opening of a new Transparency Center, as well as the ompletion of a widespread transferal of data storage and processing activities to Switzerland.More