Hotel Networks, Breakout Time, and Speed of Response, Oh My!

A little while ago, I came across a video while browsing my LinkedIn that I immediately wanted to share with everyone I could. In the video, Crowdstrike founder and CEO Dmitri Alperovitch talks about the growing importance of cybersecurity in a world filled with threats.

He talks about cyber attacks in general, as well as the increase in destructive attacks like WannaCry (which, according to one CSO article, actually had a patch to address the issue with Windows’ SMB protocol that the attack method would exploit before the majority of attacks began).

However, there are three things in Dmitri’s interview video that really stood out to me as being important:

  1. The fact that the hospitality sector is the most impacted (and why attackers are interested in hospitality sector targets);
  2. The breakout time of attacks (how long it takes for the attacker to break out of the initial system they compromised to spread to other systems; and
  3. The speed of response to an attack (how quickly businesses can detect, investigate, and clean up an intrusion attempt).

In this blog, I wanted to discuss these points and why they’re important.

Why is the Hospitality Sector Under Attack?

While your local motel might not sound like an especially lucrative target for cybercriminals, the truth is that there are some very good reasons for attackers to target hospitality businesses.

One of the key points that Dmitri brought up is that “every single nation state is trying to get into hotel networks in order to spy on the registration systems to figure out when VIPs might be coming to particular hotels so that they could target them.”

It’s a common practice for countries to carry out such espionage actions against one another. The issue for hotels is that they’re getting caught in the crossfire.

Other cybercriminals might target smaller hospitality companies to get at the personally identifiable information (PII) and payment card data of hotel guests. The small Wi-Fi networks of some hotels may be easier for attackers to breach than the fortified, layered defenses of a major financial institution. This, in turn, allows criminals easier access to sensitive information.

However, this is not to say that the hospitality sector is the only one under attack—government, defense industry, and financial sector businesses are also frequently targeted by both state agencies and less politically-motivated cybercriminals.

Why Breakout Time Matters

During the 2:38-long video, Crowdstrike’s founder mentions the term “breakout time,” which is an important factor to consider when creating a cybersecurity architecture for your business.

Even if an attacker gets into your network, that doesn’t necessarily mean that a data breach is inevitable. This is because the attacker’s point of entry may not necessarily be the attacker’s ultimate target. For example, they may get in on a workstation in your office, but really want to get at your customer information database.

The average breakout time for a cyber attack is approximately two hours. However, the actual time it takes for an attacker to move from one system to another can vary wildly depending on what kind of protections you have in place.

On unsecured networks, breakout times can be almost immediate (less than a few minutes), robbing you of your ability to effectively respond to and contain the breach. On networks with strong defense in depth setups that use heavy segmentation, it may take much longer for an attacker to breach the secondary defense layers and move to another system.

The longer it takes for an attacker to break out of the first system they’ve managed to compromise, the more time you’ll have to respond to the incident.

Speed of Response and Keeping Data Secure

The speed at which your business can respond to an intrusion attempt is vital for minimizing the potential damage a breach can cause.

Speed of response comprises three different metrics:

  1. Time to detect;
  2. Time to investigate; and
  3. Time to clean up the attacker from the network.

The faster you can detect an attack, investigate its source and methodology, and then remove the attacker from your network, the better. Top-tier organizations usually try to maintain an incident response timeline that looks like this:

  • 1 Minute to Detect
  • 10 Minutes to Investigate
  • 1 Hour or Less to Clean Up

This response speed on a well-fortified network gives attackers very little opportunity to get what they want.

Preparing for a Breach

Sooner or later, some attacker is going to be skilled, determined, or just plain lucky enough to breach all of the defenses that you have and get onto your network. To prepare for this eventuality, it’s vital to create an Incident Response Plan (IRP) ahead of time that you can launch once a breach occurs.

The primary goals of your IRP should be:

  1. Identify the threat;
  2. Contain the threat;
  3. Eradicate the threat;
  4. Recover from the attack;
  5. Investigate the attack; and
  6. Prepare for future attacks.

Having a Security Information and Event Management (SIEM) solution in place to log activity across your network is a core part of being able to identify and investigate threats. Because of this, SIEM tools are vital for any incident response strategy. Adding some automation/orchestration tools to help your network automatically resolve some threats can also help minimize risks.

Application whitelisting solutions, such as Bit9, also can help to protect businesses by only allowing predetermined software programs to run on individual endpoints. If a software isn’t on the whitelist, then Bit9 won’t allow it to run—keeping malware from operating. So, even if an attacker is “successful” at getting malware onto your network, that malware won’t be able to do anything. However, it should be noted that even “safe” software will be blocked if it isn’t on the whitelist.

Another way to prepare for a breach is to conduct a thorough audit of your company’s IT assets and cybersecurity policies. Such audits can help identify potential weaknesses in your cybersecurity architecture and give you a chance to ameliorate them.

Are you prepared to respond to an incident in less time than it would take an attacker to break out of their entry point to your network? Find out by contacting Compuquip for a security architecture and policy assessment today!