Prediction Series #9: Hackers continue spending weeks & months of dwell time in networks

As NVD vulnerabilities and cyber breaches rise, so does hacker dwell time.

The number of known vulnerabilities year over year is exploding. The National Vulnerability Database (NVD) approached 20,000 vulnerabilities for 2018, an increase of over a 40% over 2017. This explosion reflects the increased complexity of the software stack that most companies use, and the increased dependency on third-party tools

One of today’s attack characteristics of most concern is attacker dwell time. After a data breach has been discovered, investigators often find out that the hackers have been occupying their network for days, months, or sometimes even years.

What the actual median dwell time is for organizations remains debatable – different companies put out different numbers.

Are hackers living in your network rent free?

According to a 2017 SANS Institute survey, for about 50 percent of cybersecurity respondents, the average time between an initial compromise and its detection—aka dwell time—is well over 24 hours. Twenty percent reported dwell times of a month or longer. In recent data breaches, the dwell time was much longer.

Another report found that average dwell time was 191 days in 2017, and 201 days in 2016.

The annual security vendor M-Trends report puts the global median dwell time at 101 days, with EMEA at 75 days, and the Americas at 75.5 days. Very similar, Chase Snyder of IT analytics company, ExtraHop, places the global median dwell time at 99 days for 2017.

If a significant hack occurred, dwell times are likely were much longer than the median time. These cyber hacks had these dwell times:

  • Home Depot: Five months
  • Michaels: Eight months
  • P.F. Chang’s: 11 months
  • Sony: 12 months
  • U.S. Office of Personnel Management: 12 months

In addition, last August and September, British Airways learned hackers had been in their network for 2 weeks. Saks hackers occupied their network for the better part of a year, Orbitz hackers for 2 years, FedEx hackers accessed an AWS servers for 3 years and Marriott and 1-800-Flowers for 4 years.

Not just couch potatoes, these hackers are doing damage in their dwell time

After breaking and entering, cyber hackers aren’t just putting their feet up and quietly relishing their victory. They’re taking advantage of their unlawful break-in to wreak havoc. Some of the ways attackers can cause considerable damage while dwelling inside corporate networks are:

  • Depositing viruses, worms, or Trojan horses
  • Copying/stealing credit card numbers, Social Security numbers
  • Deleting or changing files
  • Stealing funds
  • Gaining login credentials
  • Spying on sensitive activities and saving the information for future actions
  • Accessing email accounts containing sensitive or proprietary information
  • Copying and/or downloading information assets
  • Launching denial of service (DOS) attacks

Whether the attackers remain in your network for days, weeks or months, they are active inside your network spying, accessing assets and if they choose, systematically taking whatever they want. The harm done can be astronomical and no one is immune. The US government announced several times in 2018 that Russia invaded and continues to dwell and spy inside US power grid networks, possibly for years.

See our blogs on Russia attacks on US utilities:

1) Russian Hackers Breach US Utility Networks via Trusted Vendors

2) US-CERT Finds Russian Hackers Spent Months Inside Targeted Systems

3) Despite US defenses, Russian hackers are still trying to break in to America’s power grid

4) Could Russia Shut Down US Electric Grids?

Clearly, attacker dwell times will continue in frequency and invasiveness, with damage increasing across all industries.