Time, It's on Our Side

Attacks against critical infrastructure have been a hot topic this year. While details are difficult to confirm, plenty of policymakers and infrastructure owners are worried about digital intruders targeting energy, water, and related industries. Unlike the "chronic" problem of the theft trade secrets for economic gain, critical infrastructure attacks are more of an "acute" problem. Should such an attack against infrastructure succeed, the consequences could be immediate, costly, and observably harmful.

Thankfully, the same factor that can help mitigate the consequences of a chronic attack is also at work in acute attacks. That factor is time. In chronic attacks, intruders are likely to take days or weeks to complete the digital kill chain. They need time to perform reconnaissance, deliver a payload, gain control, proliferate throughout the target network, identify information of interest, and exfiltrate that data. Mandiant routinely sees intruders take days or weeks to complete these tasks, although highly skilled and rehearsed intruders can shorten that timeframe considerably. Still, time is often on the defender's side, if he or she is only willing to invest in the visibility to detect, respond to, and contain intruders in a timely and accurate fashion.

In a similar manner, intruders conducting acute attacks against critical infrastructure are unlikely to wreak havoc in minutes or hours. Rather, they will likely follow a similar digital kill chain, albeit with different goals. They need time to perform reconnaissance, deliver a payload, gain control, reach the desired industrial systems, and manipulate them to achieve their intended malicious effect. This process will probably take days, perhaps weeks, depending on the level of preparation taken by the intruder and their familiarity with the target network. As which chronic intrusions, a vigilant defender can use this delay to detect, respond to, and contain an intruder seeking to harm critical infrastructure.

The bottom line for both sorts of intrusions is the requirement to have situational awareness. Mandiant recommends and provides services and products leveraging cloud services, network inspection, application logs, and endpoint agents to improve enterprise visibility. By acting faster than an intruder, even those who defeat enterprise security controls can be found and constrained prior to achieving their malicious mission. That is the new reality and the true definition of a defensive "win" in the modern digital age.