state actors. Russia-based threat actors
are almost eight times (18 minutes) as
fast as their speediest competitor –
North Korea-based adversaries, who
themselves are almost twice as fast
as intrusion groups from China. While
certainly not the only metric to judge
sophistication, the ranking by breakout
time is an interesting way to evaluate the
operational capabilities of major threat
actors. As a consequence, it shows
how fast defenders need to be to stop a
criminal’s initial entry point from turning
into a breach.
One of the most important implications
of this data, however, is that it is an
indication of how fast defenders have
to be in order to stop a breach from the
adversaries that may be likely to target
them. They may have more time if they
64
For today’s
CISO, balancing
business needs
and the complex
environment they
are responsible for
is a challenge to
overcome every day.
are dealing with a threat actor who
tends to be slower at lateral movement,
but security teams cannot waste even a
second when dealing with fast-moving
actors, such as those affiliated with the
Russian government, for example.
The 1–10–60 rule
Adequately preparing for cyberthreats
should equate to a risk mitigation
strategy that works from the top-down
and involves not only CISOs but other
C-levels, BoD and security teams. If the
CISO can’t give the board something to
work with, like simple metrics for action
and success, they won’t be able to get
the right sponsorship and support.
Breakout time is a key and insightful
metric to guide security teams on the
importance of quick reactions and in
order for them to measure their ability
to respond to intrusions, CrowdStrike
Issue 22
|
www.intelligentciso.com