Security Think Tank: Reduce attacker dwell time with defence in depth

We should probably start by defining toxic dwell time. If an attack has become tangled in the weeds and is dwelling because it is struggling to proceed, then dwell time – while not unimportant – is less threatening than one that has successfully managed to penetrate a network and carry out damage or exfiltration and has potentially moved to other areas of the organisation, as we saw with the Target Retail attack.

If we look at the report from Mandiant M-trends 2018, we can see one of the key drivers in an increase in dwell time in Europe, the Middle East and Africa (EMEA) countries has been attributed to an increase in the discovery of existing compromises relating to industrial control systems (ICS).

However, internal detection seems to have helped combat lurking attackers internally, as this form of dwell time has dropped. This would indicate that our corporate systems are benefiting from good quality detection and response, but non-standard areas are still causing problems in terms of entry point and harbouring attackers.

That is not to say that corporate or internal networks are free and clear here, as they still report a dwell time of almost 25 days, on average, according to the Mandiant report.

Reducing dwell time can potentially decrease the level of damage or exfiltration possible, which means there is less opportunity for an attacker to move around a network at will, as we saw happen with Target, and improves our response to an attack.

As we cannot guess the motivations or genuine target of an attack, we must understand our own information assets fully and create a layered approach to their protection.

The concept of defence in depth is a useful one and gives us plenty consider when we talk about dwell time. Ask yourself, are your networks effectively segregated? What information assets do you have, where are they and how important and sensitive are they? Can you triage their importance/sensitivity and layer security around them accordingly? If you can, this will have the benefit not only of increased proportionate security, but also of increased effectiveness of security spend.

Next, consider if there is an effective incident response team and a plan in place, combined with forensic readiness and lockdown procedures, and then look at detection of incursions.

At what point do we move from alert and log to alert and tell. Telling the person or team who is responsible and accountable for responding to this incident as part of an incident response plan means that the focus is in the right place and given the appropriate level of attention.

You also need to question if the incident response team is talking to other business areas such as business continuity and if is there a mechanism in place to review an incident and refine response and procedures so there is a continual move to improvement.

Of course, users need to be part of all consideration as they are a great defence, but also a potential weak spot. If security has made it difficult for them to carry out their roles by being too onerous or disproportionate, they will try to find ways round it. This is where the success of internal monitoring can be seen, as not only external attackers can wreak havoc in a network.