Threat Actors Need Increasingly Less Time for Network Takeovers

Security firm CrowdStrike recently published an interesting new "threat hunting" report that sheds light on a worrying trend among threat actors. The report shows that hackers need increasingly less time to go from initial breach and cracking a system on a network open to gaining full access and moving laterally across the entire network.

CrowdStrike used data collected from nearly 250 thousand endpoints used by the company's customers and used it in its report. The data shows that on average threat actors needed about an hour and a half to go from initial infiltration to lateral movement on a victim's network.

Lateral movement, by definition, is the point at which the threat actor has managed to deploy countermeasures to stall detection and is able to move between different host machines on a network, having access to their file systems and being able to deploy additional malware on them, as well as exfiltrate data from them.

Just this oversimplified definition makes it abundantly clear that a victim's IT security team will have much more issues dealing with a threat actor who has managed to secure lateral movement across the network.

Hackers who have gone from initial breach to lateral movement are able to deploy ransomware on the victim network, as well as use additional malicious tools to thwart detection. All of this shows how vital it is to be able to contain the initial breach and act as quickly as possible to prevent the hackers from taking over a larger portion of the network.

CrowdStrike's report also shows that more than a third of the attacks it tracked saw hackers going from initial breach to lateral movement in less than half an hour. This means immense pressure on security teams to contain breaches and prevent the attackers from gaining further access.

While it is true that threat actors will usually need to perform some early recon on a network and sniff around for additional weak spots, the simple fact that a group of hackers can go from initial network access to full access and deploying virtually any extra malware they want is more than a little concerning.

September 9, 2021