After gaining initial access to a network, the visible stages of an attack may be seen anywhere from hours to weeks later.
From the investigations performed by CyberCX, we see a wide range of timeframes between network penetration and obvious malicious activities such as detonating ransomware. The variance depends upon a range of factors, including:
The time a cyber attack takes can be linked to profitability – that is, how much the criminals believe the ransom is worth. For a high-value target, criminals may spend a month inside the victim’s network to ensure their attack is successful. For smaller organisations, where access can be bought cheaply, attackers often operate more quickly, waiting only days or sometimes hours between initial compromise and obvious actions.
Scope of access
Often we see a gap between initial access and later attack stages, which often reflects the time it takes an initial attacker, commonly referred to as the ‘initial access broker’, to escalate their initial access to a privileged level, or to sell or pass on their access methods to another criminal, who in turn leverages that access for subsequent attack stages
Completing exfiltration of information
The length of this stage can depend on the complexity of the victim’s network and the steps needed for the attacker to avoid tripping security controls.
The attacker’s workflow
Sometimes attackers just get busy, or are distracted with other targets, especially in a large campaign.
If an attack is caught in its early stages, there is still an opportunity to stop subsequent attack stages.
Through CyberCX’s active Cyber Intelligence capability, we aim to identify early signals that an organisation is an attack victim. In some cases, we’re able to catch the attack after initial penetration, but before more damaging later stages. Where possible, we advise clients proactively and help them shut down the attack before it escalates.
A cyber incident is like an iceberg – what you initially see is only a small part of an immense problem spreading throughout your organisation’s systems.
Attackers often compromise multiple systems, but not all these systems will show signs of compromise at the same time. This is why it’s important for the investigation to also consider systems which show no initial signs of compromise, including on-premises and cloud platforms.
For example, many organisations that have suffered a breach of their on-premises networks assume cloud platforms, such as Office365, have not been compromised because they are operating normally. However, attackers can easily access Office365 mailboxes using stolen credentials to locate and steal confidential data, especially from senior employees.