Organisations across the Asia Pacific are terrible at information security, a Mandiant report contests.
While businesses in the United States will detect a hacker in their networks within four months, in line with the global average, it takes 17 months for those in the Asia Pacific region to notice their intruder.
The region is diverse, with some countries faring better than others, Rob Van Der Ende, Asia Pacific vice president of Mandiant parent firm FireEye tells Vulture South.
Van Der Ende points to a focus of regional businesses in perimeter defence rather than the modern best practice approach of hardening network internals in a bid to minimise the damage from breaches.
“It is not that organisations do not care about security … they feel the investments are not necessary in the relevant areas,” Van Der Ende says.
“There is a disproporitional amount of money spent on building the walls, firewalls and such [and] attackers have advanced [beyond that].
“Minimising the dwell time of attacker who is in the network after a compromise is going to reduce the impact a cyber criminal could have.”
The FireEye report is the security giant’s first for the region. It reveals forehead-slapping findings such as that organisations on average do not know the most common techniques of lateral network movement through which attackers will use stolen credentials, and legitimate Windows tools and remote desktop functions to pivot to more valuable systems.
That lack of knowledge means there are few internal network obstacles to frustrate attackers.
“Most targeted organisations we responded to were not familiar with these attacker techniques …. Organisations often did not impose security controls around these activities and most of them did not monitor or alert on lateral movement.
In addition, organisations typically did not vary the local administrator account password across systems in the environment. When credentials were compromised, attackers could easily and remotely log in to most hosts across the estate. There were few obstacles in the way of the attacker intent on installing malicious software across the network.”
There are dozens of persistent attack groups in the Asia Pacific willing plunder organisations on their own turf. The capabilities of these bold groups coupled with a lack of awareness of internal network hardening makes for a potential storm of breaches of which many the public may be unaware of, Van Der Ende agrees.
Awareness of the shortcoming of perimeter defence coupled with acceptance of the inevitability of breaches are what Van Der Ende would immediately change among organisations in the region, should he be handed the reigns to business decision-makers' brains.
Mandatory breach disclosure laws would also help cut the 17 months to breach discovery, Van Der Ende reckons. As it stands, Asia Pacific organisations have little incentive to disclose a breach that is not already public, and disclosure laws would go far to drive positive change.
This reporter, while on site at a recent hacker conference in Singapore, was told by analysts that some businesses in countries including those in Malaysia and Thailand do not consider data stolen if a copy of the information remains uncorrupted. It was, the seasoned analyst says, as if breaches do not count provided attackers copy but don't then cut and paste data.
Van Der Ende had not heard of this level of primordial thinking but says it is not unexpected. ®