As organizations move to reduce cyber dwell time, there are several fundamental concepts that should be considered. Listed below are five practices that serve to help organizations decrease dwell time by detecting, containing and controlling cyber threats.
1. Fundamental Security Controls. The first step, which is particularly relevant in the context of containing lateral movement, is ensuring your basic security controls are in place. By enacting fundamental security controls – such as regular patching, restrictive administrative access, two-factor authentication, and network segmentation where appropriate – the attacker is forced to invest greater resources in finding a way in. By forcing an attacker to increase their investment, they may elect to search for a more attractive target.
In the process of implementing best practice security controls, a core step should be to identify high-value targets – the systems and people vital to the success of your organization. These are the targets that adversaries most frequently want to exploit for financial or intellectual gain. Security monitoring should be elevated on these assets. Such an approach enables your cybersecurity teams to dedicate operational time to prioritize alerts while easing the process to apply focused controls on endpoints, network devices, or the high-value targets themselves.
2. Granular Visibility and Correlated Intelligence. As previously stated, a breach will occur regardless of the fundamental security measures in place. However, enterprises can withstand breaches by ensuring both have granular visibility of their network and enterprise communications.
Therefore, enterprises should implement network monitoring functionality such as Netflow and collect logs from any device that records identity usage. This enables organizations to create red flags related to identity theft, data loss, and abnormal activity on a day-to-day basis. While these alerts are important, a critical capability lies in correlating actions to every machine or user, whether on or off the network. Detailed information relating to all incoming emails, such as full headers and even content, will allow cybersecurity teams to cycle back to the origin of the incident.
Forensic visibility is imperative when attackers breach the perimeter and internal security controls. With forensic data, organizations have an increased ability to trace threats back to their origin and to calculate dwell time. Dwell time is a new metric for incident responders and incidentally is the only one Forcepoint uses to measure its security posture. How effective is your response team in detecting, containing, and controlling advanced threats?
3. Continuous Endpoint Monitoring. With continuous endpoint monitoring, organizations are able to cultivate a keen perception of people, processes, and machines – translating user activity on the end point to policies and vice versa in near real-time. Why does this matter? When done right, the resulting contextual awareness allows security teams to stitch together the framework of an incident and correlate seemingly unrelated events. This means faster response times and less time spent doing traditional forensic work trying to understand attacker movements and intentions.
As previously mentioned, the majority of attacks start with the host or employee, so continuous end point monitoring is a major evolution in security posture, and critical for expedited incident response. This heightened insight into the end point allows for quicker detection of malware and abnormal behaviors of users. By not only looking for malware and paying attention to odd user activity, organizations will be able to reduce dwell time. This reduction in dwell time and forensics evidence will provide the ability to apply context and protect more than single systems.
4. Actionable Prediction of Human Behavior. Predicting attack profiles based upon an adversary's likely plan, a science within the broader topic of incident response, allows organizations to anticipate movements an attacker might take to access high value targets. More specifically, by understanding the previous path of an attacker – where he/she previously traveled – security professionals can start to predict his/her future path.
Why does this matter? The ability to predict future movement is critical to containing lateral movement and reducing dwell time. The cybersecurity team is better able to anticipate the next steps of an attack and isolate it. This is much like the game of chess, in that the adversary has multiple pieces on the board and has taken multiple moves. The attacker also has many more planned moves to create a checkmate scenario. Security professionals can determine steps they should take, such as taking certain resources off-line or notifying users to be on the lookout for odd behavior, to ensure that checkmate does not happen.
For this effort to be effective, cyber security teams must accept that external attackers are no different from an insider. They know as much about internal systems as IT administrators do. Their activities blend in as normal behaviors on the network, and thanks to custom malware, exploited users provide an overall ability to behave as an insider. Organizations should assume that all high-profile employees (people known outside of the company due to external media exposure or executive level visibility) are entry points into the enterprise and a path to a final destination. As an attacker, they have access to certain resources and those resources have access to other resources. This can yield actionable predictions of both normal and abnormal human behavior to create a framework for creating zones, reducing privileges, and enabling the security team the ability to combat attackers once inside the enterprise.
5. User Awareness. It is imperative that organizations educate employees not only on corporate policies and government mandates, but also on the growing risk that advanced threats pose to the organization. By launching formal educational programs, security professionals gain greater buy-in from end users, increasing the likelihood of changing risky behavior. Additionally, the security team must also be able to educate employees in one-off situations such as when users become targets of threat actors.
When an attack is identified, successful or not, it is important to provide the targeted users with information about the attack so they can be aware of what future attacks may look like. If an attack is successful, security professionals should not punish the users, but realize that mistakes are going to occur. This is an opportunity to steer future actions in the right direction. In effect, users become human “Intrusion Detection Systems” and provide information that might otherwise be missed within the cybersecurity framework. No product on the market is going to find all malware or all bad user behaviors. With that said, if you combine good technology and processes with great people, enterprises amplify the ability to combat advanced threats, reduce dwell time, and detect lateral movements.
CONCLUSION
The longer attackers remain in the enterprise (longer dwell time), the more damage they can cause, and the more intellectual property they can steal. Today's organizations should not focus solely on keeping attackers out, but on ensuring that the attacker stays in the network for as little time as possible — constantly striving to further reduce dwell time. Attackers may come back, but they will realize that their efforts are too costly and have little return on investment. When attackers experience an enterprise attuned to dwell time, they quickly realize that even if they found an open door the enterprise would immediately detect them, and boot them out. They will then go somewhere else, in search of a less-protected enterprise.
