Maksim Kabakou - Fotolia
The time taken by firms to detect breaches increased 40% to 175 days on average in 2017 compared with 2016, according to FireEye.
In extreme cases, this dwell time can be even longer. For instance, the GhostNet organised crime group successfully targeted government organisations in 103 countries over a two-year period, remaining undetected within networks for up to 660 days. While no one would disagree that we want attackers removed from systems sooner rather than later, what are the implications of long dwell times?
First, the longer attackers have access to an environment, the more they can learn about it. In one day, are they likely to discover which servers on a corporate network host trading or payment applications? Or HR or customer databases? How about when they have six months?
That time can be spent discovering every device on the network – from monitoring traffic to learn how to avoid intrusion detection systems, picking up password hashes and authentication tokens, and passively gaining tools and information to aid in the attack.
They may be able to identify which routes out of the network have the weakest protection, and conversely, which areas have very strong controls, implying they may be of additional interest to the attacker.
They will, given enough time, identify exactly which data exists on the network, which data they are interested in, how to exfiltrate that data, and crucially, how to cover their tracks and complete the intrusion. On completing the intrusion, they may do so by causing damage or quietly exiting undetected, possibly leaving a back door to gain access at a later date if required.
Second, the attack itself has a greater chance of succeeding if actions can be taken slowly. Many firewalls and intrusion detection systems use forms of statistical analysis to alert – this is often around a sudden spike or change in traffic flow.
Read more about reducing attacker dwell time
- Reduce attacker dwell time with defence in depth.
- GDPR compliance one good reason to cut attacker dwell time.
Given enough time, a criminal siphoning data can slow the attack down to a level where it may look like normal network traffic noise, rather than attempt to send out gigabytes of data from a database, for example.
New data can also be gained over time, such as new oil well exploration or pharmaceutical research. If this arrives in an already compromised database, the attacker is positioned, ready and waiting, and only needs to exfiltrate it.
Third, a rushed attack can often be rolled back to a previous backup without too much trouble or data loss. If exploitation of a database occurs today and is discovered, restoring the database leaves only a short batch of transactions that may need to be updated, once the route in has been strengthened.
As a result, the business impact is low. Conversely, an attack that takes place over many months may mean long periods of compromised backups, requiring extensive manual work to rebuild from the last known successful backup. In extreme cases, reliance on these backups may not be possible as tapes deteriorate or are reused/recycled.
And finally, understanding how an attack took place is key to strengthening defensive controls. A “noisy” attack, which alerts intrusion detection systems, will leave a trail through logs on firewalls and servers, so the vulnerability exploited can be easily identified and rectified.
A stealthy attack that goes unnoticed can be impossible to analyse a year later, as even if the initial intrusion could be analysed to a specific point in time, logs may have been rotated out.
Reducing dwell time
All in all, allowing attackers free rein over your network for long periods of time can be exceedingly damaging. So what can you do to reduce the dwell time?
It is often understated, but one of the biggest improvements you can make in this area is to improve basic cyber hygiene. While an advanced attacker is not going to be put off by some simple improvements in patching, intrusion detection etc., these will stop a significant percentage of the network noise from unskilled “script kiddies”, automated scans and so on – which will improve your chances of being able to spot the signs of longer term intrusion.
Limiting administrator access is also useful for raising this baseline protection – ban the re-use of passwords between IT staff user accounts and privileged accounts and use some form of “break-glass” system to provide short term passwords for privileged accounts. Segregation of network areas will also make it much harder for an attacker to traverse a network.
Criminals may use phishing attacks to compromise computer accounts belonging to multiple employees and try to act like they belong. In this modern age of automated and skilled attack, the tools which are looking to provide greatest value are behavioural analysis tools. These look at what is happening and whether that is an expected behaviour, or one expected to lead to a negative outcome.
Moving to virtualised desktop environments for your staff has a wide range of benefits over and above simple cost reduction. A company with 20,000 virtualised desktops can upgrade them all at once if necessary, without the need to visit offices and physically interact with them. Even more important, on suspicion of compromise, a virtual desktop instance can be simply wiped and rebuilt to a known good build.
There are various factors that consistently challenge organisations to reduce the dwell time of an attack. An open-mindedness with reduction methods, paired with an awareness of potential vulnerabilities in your own organisation, are both key elements in continually improving dwell time.
There is extensive guidance available from Isaca, as well as the UK’s National Cyber Security Centre (NCSC), the US National Institute of Standards and Technology (Nist) and the Information Security Forum (ISF).