Security Think Tank: GDPR compliance one good reason to cut attacker dwell time

Attackers with a plan will survey the target environment before launching an attack. This is an incident – where defences have been overcome, but there is as yet no consequence to the organisation. Discovering such incidents early, before the incident becomes a breach, should be the aim of every organisation.

The next stage of an attack is the breach – a compromise of information, systems, or processes – with the most likely objective being financial gain or cyber espionage. Combine this with the fact organisations are facing advanced persistent threats (APTs) – under-the-radar threat activities that dwell for a long time and steal data whilst remaining undetected – and it’s an uphill battle for most enterprises.

Few organisations believe they will not suffer a security incident or breach. Most are realistic and do their level best to mitigate the risks as the information, systems, and processes require. However, various reports suggest that the “dwell” time – the length of time that an attacker goes undetected, before and during an attack – is rising.

This matters for lots of reasons. Of course, no organisation wants to be attacked, and a compromise of information, systems, or processes needs to be stopped as soon as it is discovered. Cyber response plans are a crucial element of planning.

Also, the longer an attacker spends in your organisation’s environment, the more intelligence they will gather, with the likelihood of more breaches of information, systems, or processes, either now or in the future.

Then there’s the General Data Protection Regulation (GDPR), effective imminently – organisations must notify the relevant authority within 72 hours of a breach of personal data becoming evident.

Having an attacker “dwelling” in your environment for days, weeks, months – or even longer – does not give a good impression when it comes to demonstrating that best efforts have been made to protect the data of an EU citizen.

Although organisations regularly review the threat landscape, the reconnoiter stage is often not considered in detail because a breach has not occurred. However, security controls that can be deployed to monitor for potentially unwanted forays into the organisation include honeypots and decoy systems.

These are used to tempt attackers into areas in which their operations can be closely monitored, keeping them away from where they can do damage. Mature security functions will also plot possible attack paths, to understand how a threat will attempt to navigate their systems and networks during an attack.

When it comes to detecting attacks, analytics-based next-generation detection tools (including behavioural analysis facilities) are used by organisations to reduce dwell time. No single control can reduce dwell time; a combination of layered security controls is essential.