Crowdstrike just dropped the first head-turning cybersecurity report of the year. The report tracks the “breakout time” from when an adversary compromises an initial system to when the adversary is able to move laterally within an enterprise.
In Congressional testimony last December, Crowdstrike Chief Technology Officer Dmitri Alperovitch set out his “1-10-60” goal in which companies should attempt to detect a breach in one minute, investigate it in ten minutes, and contain it within sixty minutes.
Given that a study by the Ponemon Institute last year found that on average it took companies 197 days to detect a breach and an additional 69 days to contain it, shrinking the OODA loop to one hour flat may seem like an impossible goal. Alas, an hour may be too long.
According to Crowdstrike's new report, the breakout time for Russian adversaries was under nineteen minutes. Stopping the Russians may require taking the human out of the loop, automatically going from detection to quarantining compromised systems. Of course, some companies are doing that already and a thriving ecosystem exists to provide technologies that will enable this kind of operational nimbleness.
What’s interesting to me about the report isn’t that Russia is really fast but that China is relatively, even embarrassingly slow. Across all threat actors, including criminal groups, hacktivists, and countries that don’t normally rate as cyber superpowers like Pakistan, average breakout time was recorded at four hours and thirty-seven minutes. (If there is good news in the report, it’s that average breakout time went up by two hours from 2017).
China, for its part, clocked in at an average of four hours and 26 seconds in a very distant third place behind 2nd place North Korea, which came in at two hours and twenty minutes. The fact that the Hermit Kingdom is outdoing the Chinese should be a source of embarrassment.
With the breakdown of the Obama-Xi agreement, I expected Crowdstrike to show an uptick in Chinese economic espionage but I did not expect to find that China had returned to its loud and clumsy ways. When FireEye, Crowdstrike, and other groups showed a drop in Chinese activity following that 2015 agreement, many in the field concluded that Chinese groups had not reduced their activity but upped their tradecraft—that they were being selective in their targets and stealthier in their operations. Now, I’m not so sure.
Crowdstrike's data suggests that Chinese groups are struggling with next-generation malware prevention and other technologies that guard many of their targets. It suggests that to stop most Chinese intrusions, security operations center (SOC) teams could pick up a detection event, investigate it, form a remediation plan over a leisurely lunch, and then put it in place once they have had time to digest. Calling Chinese groups “elite” may be to give them too much credit.
Chinese resources appear to be spread quite thin. At last count, Crowdstrike tracked upwards of 25 distinct Chinese APT groups. Florian Roth’s handy APT tracker lists another potential forty plus identified by other companies. That would appear to be too many groups carrying out too many operations to maintain a high degree of professionalism.
Given that the Trump Administration has let go of the levers it could use to change Chinese cyber behavior as relations deteriorate, our best hope for limiting Chinese activity may be to embarrass Chinese leadership by promoting a narrative that China really isn’t that good. In an imperfect world, I’d choose fewer Chinese groups, carrying out more targeted attacks, that are harder to detect and thus in the news cycle less often.
Xi should look into why his teams are not competing with the best of the best. His goal should be to make the headline from Crowdstrike’s 2020 threat report: “Where did the Chinese go?”