How the 1-10-60 Rule Improves Cybersecurity
Rawad Sarieddine, Vice President, Middle East, Turkey & Africa, CrowdStrike, elaborates how organisations can bolster their cybersecurity postures and understand cyber risk better.
Cyber-attacks are constantly hitting the headlines – hardly a week goes by without another incident hitting the news of another company, government or brand being compromised in some way. Increasingly, operators of critical infrastructures or authorities are being targeted by hackers. Cyber-attacks are becoming increasingly sophisticated. Especially since eCrime groups are now working closely together to develop even stronger malware that is harder to stop. TrickBot, for example, has recently been showing characteristics that suggest cooperation between the two eCrime groups Lunar Spider (BokBot – also a banking Trojan) and Wizard Spider (TrickBot). TrickBot demonstrably uses a proxy module that only BokBot has used so far. TrickBot now has additional tools to steal information and make fraudulent transfers. The obvious cooperation shows that hacker groups work together and that every company must see itself as a potential target. But how can you protect your company?
Breakout Time: A Critical Cyber Metric
In the event of a cyber-attack, speed is one of the most important factors in avoiding damage. Because to win a battle in cyberspace, the only way to beat an opponent is to be faster than him. CrowdStrike has introduced a new metric in their Global Threat Report called “Breakout Time”. It has been found that, on average, companies only have one hour and 58 minutes to detect and remove an intruder from the system before he can compromise other IT systems from his original entry point and create chaos in the enterprise. Three key metrics can help assess one’s own defenses against a cyberattack:
- The time it takes to detect an intrusion.
- The time it takes to investigate an incident, understand the severity or extent of the attack, and define the necessary countermeasures.
- The time to respond to the intrusion, remove the opponent and take appropriate action to prevent damage.
The 1-10-60 Rule: A Numbers Game
So, what is the ideal timeline to detect, contain and ward off an attack? Institutions and companies using the latest technologies are now very fast: they can detect an intrusion in less than a minute, perform a full investigation in less than ten minutes, and remove the enemy from the system in less than an hour. The resulting 1-10-60 formula should become a standard for fighting cyber threats efficiently.
Companies and organisations that target this 1-10-60 rule will be able to throw the enemy out of the system faster before the attacker leaves an original entry point and begins to move toward his actual target in the corporate network. This significantly minimizes damage and prevents further escalation levels. It is crucial to create a certain degree of transparency within the network. It helps identify known and unknown threats that may occur on the network more quickly. Many attackers behave naturally and as part of the network. However, innovative technologies and a combination of machine learning, endpoint detection and next-generation antivirus programs, for example, can quickly detect and effectively combat covert attackers.
Think like an adversary
To better understand cyber risk, executives need to rethink. Ask yourself: What goals could an attacker pursue? What vulnerabilities could an attacker exploit? Which digital assets are of interest to him and how could he proceed? Many cybercriminals are targeting assets, but they also gain control over critical systems. They even take detours through more distant people, applications and records that can allow them to access other critical systems through multiple corners. It must be assumed that persistent attackers regularly endanger individual computers by exploiting known or unknown vulnerabilities or by simple social engineering.
This is another reason why in-depth training and sensitization of specialists and managers is an important part of the cybersecurity strategy. Because the greatest uncertainty factor is and remains the human being. You have to accept that this will remain so. In our experience, there will always be some employees who open suspicious e-mails, click on random links and enter sensitive information into unknown websites. Training can help, but it can never be ruled out.
Assume you’re going to be attacked
So, the important question is not: Can you prevent a cyber-attack? In some cases, this is simply impossible. Assume that one or the other can do it. Rather, the question should be: How long does it take for attackers to gain access to a sensitive resource? As soon as they are able to do so, what would have been a small security event will turn into a serious cyber-attack. This will require a lengthy and complex response to the incident. So, we need to stop the attackers before they reach their ultimate goal.
This is why speed is so crucial in the technical safeguarding of all endpoints and the continuous monitoring of the system. Formula 1-10-60 makes it possible to measure the preparedness or the general level of security systems. It enables managers who are not IT experts to understand and evaluate the performance of their IT security department.
And even if a company, agency or other institution cannot initially achieve these fast response times, the 1-10-60 rule serves as a benchmark to determine, for example on a monthly or quarterly basis, whether the trend is moving in the right direction. The 1-10-60 rule and breakout time provide clear benchmarks that measure a company’s cyber-resistance to today’s complex threats.