Tick tock: reacting fast to cyber-attacks

Picture the scene. Your company’s computers suddenly freeze up, staff are locked out of their email accounts and operations grind to a halt. A stark message flashes on screens around the company. Your sensitive data has been encrypted by cyber-attackers and they’re demanding a ransom to be paid in bitcoin.

For any chief executive this is a nightmare scenario where every move they make will be scrutinised by their board, the police and regulators. They must act fast but also sensibly, which is not something that is easy to do well.

The reason for this is that the time to react to a cyber-attack is getting narrower and narrower and there are a number of reasons behind this.

Crucially, cybercriminals have become wilier, adopting deadlier tactics to breach systems and steal information quick than ever.

Similarly, regulators demand more transparency and better communications from companies when they suffer a data breach.

According to data from Palo Alto Networks, a US cybersecurity company, ransomware and business email compromises (BEC) remain the most common cyber threats to companies and the time to react and mitigate is getting tighter.

“In 2021, it took about 40 days to get into somewhere, to compromise a digital asset until you do exfiltration of data. This is coming down now, it's five days and what we see now also with AI accelerating [it], it's sometimes a matter of a few hours,” Helmut Reisinger, Palo Alto Network’s chief executive for EMEA, said.

By 2022 that average time period from compromise to exfiltration was 30 days and in 2023 it is now an average of five days, according to research from the company’s Unit 42 threat intelligence division.

It is not uncommon for cyber-attackers to worm their way into a network and stay silent for weeks or months, gathering intel, making sense of the target’s operations and homing in on the most valuable data before striking and making their getaway.

In the case of the crippling ransomware attack on the Health Service Executive in 2021, the perpetrators first gained access to the HSE’s system in March and lingered for eight weeks before making their move.

That ransomware attack– the largest cyber-attack in the history of the state – was devastating, causing delays and cancellations to services, management reverted to paper-based processes and Covid-19 track and tracing services were disrupted. All in all, the attack cost the HSE over €100 million.

More than two years on, the incident serves as a good reminder of how devastating an expertly carried out cyber-attack can be.

Often when reading headlines about a cyber-attack on a company, the impact and repercussions can seem nebulous to the reader. An attack on the health service hits much harder and is much more real for everyone involved.

Hospitals, Reisinger explained, can be a sitting target for hackers with all the varying pieces of networked equipment, medical devices and IT services.

“The threat vector might come from an administrative laptop that is connected in a hospital but it might come as well from an x-ray machine that is not patched,” Reisinger said.

The HSE attack happened in a period when attackers on average spent longer in the network before attacking. Lingering in the network as they did can be a risky move on the part of the hackers as they risk being detected before carrying out their task.

Now it’s possible for hackers to breach networks and do the damage in a quicker timeframe without detection.

AI ramp up

Haider Pasha, chief security officer for Palo Alto for the EMEA regions, said tools used by hackers are becoming more and more sophisticated, which allows for the increase in the speed of attacks.

Artificial intelligence tools in particular are helping to automate procedures that may have taken days previously. These can now be done in minutes in some cases.

Businesses’ incident response frameworks need to consider AI now more than ever, Pasha said.

“AI just in the last nine months has completely changed the game of how businesses should be operating for the next three to five years. The framework needs to reflect that and doesn't in many cases I've seen so far,” Pasha said.

“They (the attackers) can stay silent in the network for days, sometimes even months before they actually make their move. But today what we're finding in some of the latest attacks is that the attackers have exfiltrated data within hours,” he added.

“We believe that AI will only speed up these attackers so we're going to get to a point in time where we go from hours down to minutes and potentially seconds depending on how well they're using artificial intelligence.”

The use of AI in making attacks easier is not even that complicated in some cases, he added.

Chatbots like ChatGPT can be utilised to write compelling scam emails that are detailed and appear credible and are in perfect English. This copy can make up a convincing email loaded up with a malware link that lures the target into clicking without a thought.

Chatbots can also be used to write or check code that makes up a piece of malware. The makers of chatbots have sought to remediate how their chatbots can be abused in this way by blocking certain types of code being fed through their systems.

Pasha envisions the technology advancing more and more with the likes of deepfakes that can be used to replicate a particular voice. Imagine a scenario where a manager’s voice is mimicked using AI to make a call to the accounts department instructing them to make a transfer.

“What we’re seeing is an increase in new vectors, vectors such as the ability of mimicking voices and even videos to a certain extent. Deepfakes as we know them are essentially on the rise. We're seeing that being used as a very common tactic now,” he said. “You can use deepfakes to mimic the voice of a CEO or a CFO.”

Pasha said we’re seeing a new generation of “script kiddies”, often a pejorative term in cybersecurity circles for hackers with limited technical skills using basic tools that are widely available online to carry out their crude attacks.

Script kiddie attackers are historically not very sophisticated but with rapidly accelerating AI, the availability and accessibility of highly technical tools is becoming much more widespread and with that more threatening for companies.

Time to disclose

But it’s not just accelerating tech that’s forcing companies to respond quicker.

Regulations have put a much greater expectation on companies to report when a data breach has occurred but what a lot of companies are learning is that discovering a breach is one thing, making sense of it is something else entirely.

GDPR, the flagship European data protection regulation, requires companies to disclose a breach to their local data protection regulator within 72 hours of discovering the breach.

Pasha said it takes an average of six days to remediate a breach.

“The average time it takes in our industry to remediate an attack is six days. Once you know that an attack has happened, for you to remove that attack and know with 100 per cent certainty that the attacker is gone and prevented that particular incident is roughly six days. The average time that we need to respond to a GDPR rule on a data breach notification is three days,” Pasha said.

“What this basically means is once you know that you're under attack, you have three days to inform the authorities but it will actually take you another three days for you just to remediate,” he said.

Similarly in the US, a recently passed rule by financial regulator the Securities and Exchange Commission requires publicly traded companies to disclose a breach within four days.

There are many things that a company can do but the regular testing of its systems and their resilience remains top of the agenda.

Pasha said there’s a “false sense of security” pervading many organisations, pointing to research from Unit 42 that shows a lack of understanding of the importance of testing.

Thirty-eight per cent of respondents to a survey said that they believed their cybersecurity practices were the “most mature” but only 28 per cent said they regularly test.

“How do you know you are the most mature when you barely do your testing? We believe there's this false sense of security that's forming amongst many organisations in EMEA and LATAM,” he said.

While much has been made of AI being a boon to hackers, it too can be a tool for defence, according to Reisinger.

Palo Alto Networks is investing heavily in its own AI functions to detect and remove threats quicker than traditional methods.

“In our own SOC [security operations centre] we do about 10 seconds mean time to detect and one minute meantime to remediate [using AI], which means that our scarce people can focus on the right things and do better threat intelligence, threat hunting and so on, which is the proactive side of the house,” Reisinger said.

“The time is shrinking in terms of attackers exfiltrating. On the other hand, you need to automate as much as possible.”