Russian threat actors are almost eight-times faster at taking advantage of a compromised system compared to other nation-state actors, a tribute to their operational tradecraft, according to Crowdstrike's 2019 Global Threat report.
An analysis of what Crowdstrike calls “breakout time” shows the Russians are quicker, by a factor of eight, at moving laterally through a system and accomplishing their primary objectives then their next closest competitor, the North Koreans.
The report noted this level of accomplishment is even more impressive considering the North Korean threat teams themselves are twice as fast as the third-place Chinese crews. Iran was the fourth quickest while various cybercrime actors were fifth. Russians are typically able to do this in just under 19 minutes, compared to two and a half hours for the North Koreans and four hours eight minutes for the Chinese.
One bit of good news in this category is that overall the average breakout time across all threats in 2019 was four hours and 37 minutes, more than twice as long as the one hour and 58 minutes logged by Crowdstrike in 2017. The report credited two possible factors for this jump. An increase in the number of slower attackers and more organizations deploying next-generation endpoint security.
In order to combat effective attackers like the Russians, Crowdstrike recommends companies employee the 1-10-60 rule. This requires an intrusion be detected in under a minute, a full investigation be performed in 10 minutes and the adversary eradicated from the system within an hour.