The findings of the annual Internet Security Threat Report indicate that the number of organizations targeted by advanced hacking groups increased by almost one third between 2015 and 2018. The groups have not only substantially increased their cyber-espionage operations, they are also deploying increasingly sophisticated tactics against a growing number of sectors. National hacking groups such as Chafer and cross-national groups such as Dragonfly are conducting highly targeted campaigns to gather intelligence and exfiltrate data from organizations.
Chafer is linked to the use of leaked NSA exploits and is credited for several attacks against telecoms and transportation companies and their supply chains. Dragonfly has targeted primarily energy and utility companies including infiltrating the control systems of power supply systems. Other groups such as Gallmaker have been responsible for attacks against government institutions and military organizations.
Hacking groups are no longer relying on malware delivered through spear-phishing or other exploits to carry out attacks. Rather, they are using publicly available tools to execute targeted cyber-espionage campaigns. This includes tools such as Metasploit which provides tools and utilities for exploit development and deployment. Metasploit includes numerous modules for SAP exploits. Approximately 39 percent of intrusions in 2017 did not deploy any malware. The use of publicly-available tools with legitimate purposes can obfuscate attacks and prevent detection.
Despite the growing sophistication of attacks, average breakout times across all intrusions and threat actors more than doubled between 2017 and 2018 from 1 hour and 58 minutes to 4 hours 37 minutes. This is according to the 2019 Global Threat Report. The breakout metric measures the average time taken by attackers to escalate or propagate an initial compromise to other targets in a network. The increase in breakout time suggests that organizations are more effectively hardening potential targets against exploits and detecting and isolating attacks. However, the overall average masks substantial differences between threat actors. Russian threat actors have an average breakout time of just 18 minutes and 49 seconds. This means organizations typically have under 20 minutes to discover and contain attacks from Russian hacking groups. Average breakout times are lowest for Russian, North Korean and Chinese hacking groups and highest for cyber criminals.
Successfully detecting and containing cyber intrusions relies not only on speed of detection but also speed of response. Real-time or near-time threat detection should therefore be supported by effective incident response mechanisms to investigate security breaches. SAP Solution Manager provides an integrated platform for both threat detection and incident response. SolMan connects directly to event logs in SAP systems as often as every 5 minutes to detect and alert for security breaches. It also provides automated procedures for investigating and tracking incident response. To learn more, contact Layer Seven Security.