Cyber Attacks: The First Minutes Are Crucial

Cyberattacks: The first minutes are crucial

In the defence against cyber attacks, time is both an enemy and an ally. A guest article by Moritz Mann from Open Systems.

Only the spectacular cases make it into the national media. But according to Bitkom, nine out of ten companies are now affected by cyber attacks. Time plays an essential role in defending against these attacks.

The time paradox in cyber security

When the first employees become aware of the unusual behaviour of a computer or other system, often only a few minutes pass before the malicious components spread across the network. Once the attackers have launched their attack, there is only a narrow window of time left to at least limit the potential damage. Depending on the type of attack and the chosen path, often only a few seconds pass, for example in the case of DDoS attacks that are carried out via hyperscalers. And the more time that passes, the greater the damage.

The paradox in cybersecurity is that there would actually have been enough time to detect and defend against the attack at an early stage. It simply takes companies too long to detect illegal activities in their networks in order to react to them. As IBM found out in its “Cost of a Data Breach” study, this was an average of 151 days. This is also the time attackers have to prepare an attack.

Making the most of the time: Obstruct the orientation phase

In many attack vectors, the criminals initially act very cautiously and try to enter the network through back doors and side entrances. They first observe, orient themselves, and then decide how to proceed. The goal of security must be to make this initial orientation phase more difficult. And the best way to do that is to integrate several security layers.

Among (experienced) employees, local firewalls, automated scans for malware or restrictions on the installation of software are unpopular. Yet they already effectively make it more difficult for an attacker to penetrate further into the network via this route. Adherence to “cyber hygiene” is still one of the most effective means of averting attacks: In other words, keep devices up to date, operate them with low rights, use “anti-virus programmes” and rely on firewall shielding.

Parts of this hygiene also include the work of admin and support departments. This includes the strict separation of keys and accounts. Domain administrators should not have local admin access to desktops; the support for desktops must use keys and accounts without access to the cloud infrastructure. Using the same accounts when setting up AD Connect and Office 365 is very much something that attackers look for.

Detecting anomalies earlier

Just as a slight, barely measurable, tremor of the ground can be the harbinger of a magnitude 5 earthquake, minor variations in data traffic can already indicate criminal activity. The aforementioned hygiene measures and strategies such as zero trust in data traffic form the basis for making it more difficult for attackers to gain entry and access. However, they cannot guarantee complete protection.

Therefore, vigilance and thus monitoring of the running systems remains a priority task to shorten the time for attackers. However, monitoring is proving to be more and more of a challenge considering the contemporary IT structures. The number of devices to be monitored, the combination of several cloud structures, the fragmentation into microservices make manual control impossible. Modern IT architecture also leads purely rule-based and threshold-based protective measures and filters to their limits. Today, system monitoring and security also require the use of AI components such as machine learning to detect the first anomalies in order to take countermeasures in time, or at least to get to the bottom of things.

Advantages for companies with an error and security culture

And what if, despite all efforts, attackers have still managed to penetrate the company network? When the famous “one click too many” has been made on the attachment of an e-mail? Companies that have succeeded in establishing a functioning error and security culture have an advantage at this point.

Whether in supermarkets or banks, none of the employees would hesitate to press an alarm button in the event of a robbery. However, when it comes to IT problems, the situation is unfortunately far too often different. Out of a sense of shame or fear of being held responsible, employees then shy away from reporting an observation or calling for help for too long in the event of an emergency. At this point, it is not a question of who is “to blame”, but of using valuable time. And every company can do something about this in advance.

This begins with training and instructions for employees on how to behave. But it also ends with support departments that give employees in need of help the feeling that they will be taken seriously no matter what. Shame and fear are rarely good advisors, and never when it comes to cybersecurity.


Moritz Mann Open Systems
Moritz Mann, Chief Strategy Officer at Open Systems

Moritz Mann

is Chief Strategy Officer at Open Systems. He studied at the Dualen Technical College Baden-Württemberg (DHBW) as well as in London and holds a degree in Information Systems  and Business Administration.