Security Think Tank: Prevention and detection are key to limit dwell time

Any cyber dwell time is detrimental to an organisation’s security posture and can result in significant harm. Dwell time is the length of time that a cyber attacker enjoys undetected access to a network before being discovered and expelled from that environment.

According to the 2018 M-Trends report by FireEye, the global median dwell time for 2017 was 101 days, but actual dwell times across the globe ranged from less than a week to more than 2,000 days. The longer the cyber dwell time, the greater the opportunity for an attacker to move laterally, gain credentials and access sensitive areas.

For many cyber attackers, it is necessary to conceal their activities and stealthily traverse a network for a sustained period to find the data they seek and realise their malicious objective (for example, misappropriate trade secrets, launder money or disrupt and degrade infrastructure).

Dwell time allows attackers to escalate privileges and create back doors, thereby expanding their access with a view to consolidating control of an organisation's system. Attackers with a persistent presence are not only harder to detect, but are also more capable of corrupting or extracting information to exploit.

To shorten dwell time, organisations should identify the different paths used by adversarial threat actors with reference to a cyber attack model, such as the Information Security Forum (ISF) cyber security chain. This consists of five stages: performing reconnaissance, gaining access, maintaining control, compromising information and exploiting information.

Organisations can effectively tackle dwell time by taking a layered approach to protection and investing in security controls associated with each stage of the cyber attack chain. Many of the measures that can help reduce dwell time are performed by a security operations centre (SOC) function or event monitoring capability – an upcoming topic of focus for the ISF.

The reason for reducing dwell time is to limit – if not prevent – the potential harm from a cyber attack. It is therefore important for organisations to uncover malicious or unusual activity as early in the cyber attack chain as possible. Particular emphasis should be given to implementing a combination of preventative and detective security controls, coupled with an early warning system. 

Security measures that organisations may want to consider include:

• Establish and maintain situational awareness by obtaining threat intelligence from both external and internal sources to profile adversaries and identify emerging or imminent threat events. Organisations should engage with outside sources to help validate the likelihood of attackers present on the network, but should not rely solely on law enforcement or government agencies to provide notification of a breach. In fact, the dwell time can be shorter if a breach is discovered internally. 
• Share information about incidents with external parties to improve protection in the future and use historical event information to help establish the most likely paths, methods and techniques used by attackers.
• Perform rigorous monitoring of network traffic, endpoints and security-related events. Event monitoring requires configuration of systems, applications, network devices and security products.
• Conduct behavioural analysis of users to identify malicious insiders or corporate spies. Baseline expected activity to identify any deviation that may indicate suspicious activity.
• Adopt a robust patch programme that ensures the latest patches are applied regularly.
• Educate users to identify unusual behaviour and tactics, such as social engineering.
• Apply advanced protection, including honeypots, threat hunting and use of big data analytical tools. 

The optimal outcome is to eliminate any dwell time, but if prevention controls fail and a network is penetrated, organisations can still restrict the potential harm by disrupting the attack at the earliest opportunity. Ideally, malicious behaviour is detected in time to stop the compromise of information and reduce the business impact of an attack, including reputational damage and loss of customer trust.

Even if an intrusion is not discovered before exfiltration of data begins, appropriate security controls can help contain the amount of data extracted and the resulting cost to the organisation.

Although there is inevitably a desire to minimise dwell time and respond to an incursion immediately, it does present an opportunity to conduct counter-intelligence to gain insight into an adversary’s methods and techniques. This can be helpful in revealing their true motivation and target.

Overall, organisations that actively address cyber dwell time are well prepared to respond to intruders on the network and limit their ability to progress through the stages of a cyber attack chain to complete an attack. It is likely that dwell time will increasingly serve as a useful metric of an organisation’s security.