Saryu Nayyar | Forbes.com »
In cybersecurity, dwell time is the time between an attacker’s initial penetration of an organization’s environment and the point at which the organization finds out the attacker is there. In an ideal world, that time would be measured in moments. If everything were perfect, the security operations center would get an alert that the intrusion detection system (IDS) had identified an attacker as their automated endpoint detection and response (EDR) nullified the intruder before the cybercriminal did any damage. But we don’t live in an ideal world.
Industry surveys over the years have shown dwell time ranging from a (sadly rare) best case of a couple of minutes to a worst case of hundreds of days. The average dwell time — depending on region, industry and who is generating the report — has varied widely. And while a couple of months is better than over 100 days, it is still a relative eternity given the speed at which business moves and cybercrime can evolve.
The obvious question is: Why is dwell time still so high? But the answer is not always simple or clear.
Many security vendors will claim that their solution can detect an intruder in real time or, more realistically, within a few minutes of an intruder getting into the environment. And the fact is that many of them actually can.
But only in ideal conditions: The environment needs to be set up to favor early detections, the solution needs to be installed and configured correctly, and the security operations team needs to have the correct training and supporting processes to make the most of their tools. That “correct configuration” theme needs to play across the entire security stack since modern security solutions do not operate in a vacuum.
For organizations that have everything in place with the right tools, training, processes, and policies, it is possible they can honestly say, “We would know in minutes” when asked, “How long would it take you to catch an intruder?” on a survey. But the reality is that most organizations, even ones that believe they are well prepared for an intrusion, are not detecting an attacker anywhere nearly as quickly as they would like.
For other organizations with less mature cybersecurity infrastructure and SecOps teams, the answer is more likely to fall somewhere between “days” and “when we read about it on the news.” For those who work at a small company, the first indication they may have a breach is when they see ransomware messages pop up on their desktops and their network grinds to a halt. Small organizations often lack the resources to hire a dedicated information security resource, let alone a fully equipped team and the security stack they need to adequately protect the environment.
Managed security service providers (MSSPs) can help smaller organizations deal with a lack of in-house resources, but even MSSPs can struggle with identifying a subtle attack. Security professionals who do penetration testing have demonstrated that it is possible, with skill, to skirt around many of the extant security solutions on both the network and endpoints. That doesn’t even address attackers who leverage stolen credentials to masquerade as a legitimate user.
Social engineering and phishing schemes have shown time and again that users can be a weak link in the security chain. While most common drift-net style phishing attacks are caught by spam filters and are easily recognized by users, more focused attacks have a much greater chance to succeed. Cast-net attacks, which target people in a specific organization, are much more effective. They are especially useful when an attacker doesn’t care who they get, as long as they can get a foothold. Spear-phishing attacks are, by nature, highly focused and can be closely tied to a well-researched social engineering effort. They take more work on the attacker’s part but frequently have a much greater chance of success.
When attackers can compromise a user account, they have an easy in. If they are careful and operate on the “low and slow” model, they can often stay under the radar of conventional systems. The same is true no matter how an attacker gains their credentials. Whether it’s through purchasing credentials on the dark web from a massive data breach, brute-forcing passwords or through exploiting a flaw in some login protocol, once they are in, the dwell time clock has started.
Finding and eliminating these intruders is where the real challenge lies. Even a skilled SecOps team using a mature security stack can miss a clever intruder — or has missed clever intruders, as the ongoing volume of high-profile breaches attests. It’s not that they are not capable; rather, it’s that the sheer volume of alerts means it is easy to lose subtle clues in the flood.
Some tools do a better job than others of revealing attackers. Deception technologies, for example, return high-confidence alerts when an attacker touches them, as no one should be touching the decoys deception relies on. Unfortunately, if an attacker never takes the bait, the system will never see them. Security analytics is a better option that can pinpoint an intruder’s activities out of the noise by focusing on user behaviors using machine learning to recognize outlier behaviors.
Reducing dwell time can be a complex challenge as attackers leverage a range of organic and machine vectors to get their foothold and use subtlety to remain undetected. But it is not an insurmountable challenge. With the right tools, training, user education and processes, it’s possible to reduce the chance of a breach and raise the possibility of catching an attacker early if the intruder does manage to get in.
External Link: Why The Dwell Time Of Cyberattacks Has Not Changed