The industry defines dwell time as the time that occurs after an attacker gains access to a network, but before detection, and it continues on as a problem for organizations and security professionals alike. Recent research shows that attacker dwell time has increased by 36% since 2021, largely because of an increase in sophisticated attacks and malware hiding in encryption. This lack of visibility into encrypted traffic – often from outdated tools – creates blind spots for SecOps teams, leading to missed threats across the network and increased attacker dwell times. So how can security teams reduce it?

Security teams can deal with the visibility lost to encryption via an enriched analysis of packet data. This has traditionally been done using Deep Packet Inspection (DPI), which requires decryption and impacts performance, privacy, and cost. Decrypting secure transactions challenges the basic intent of protecting messages and ensuring privacy and often violates organizational compliance obligations. Not to mention, the management of deployments are often incredibly complex with intermediary certificates, and rolling out agents and is only operationally effective on a subset of corporate assets. But a new approach has emerged called Deep Packet Dynamics (DPD), and it can reduce attacker dwell time without negatively impacting an organization.

DPD passively monitors network traffic, collecting simple, enhanced, and advanced behavioral characteristics about each network connection without having to decrypt a packet. It restores lost visibility through insights delivered by machine learning (ML) and fingerprinting by combining traditional flow tuple information (such as IP Addresses, ports, protocols, and enhanced metadata). This form of network visibility reinforces privacy by eliminating the complexities of decrypting and inspecting traffic. DPD promises to enrich the unencrypted packet header information with analysis into behavioral baselines and anomalies. It generates metadata about traffic based on its overall analysis of the observable characteristics of encrypted traffic, such as byte distributions, jitter, retransmits, connection setup time, round-trip time, TCP metrics, and even inferred L7 application classification.

ML algorithms are also often used to infer insights from the analysis of metadata and behavior to understand whether anomalies are phishing attacks, brute force attacks, or other issues. For example, ML can analyze the characteristics of an HTTPS session and compare it to known patterns of phishing sites as opposed to normal websites without ever decrypting the actual payload. Coupled with behavioral analytics that can characterize activity patterns over time, these technologies offer valuable insights into encrypted traffic. Behavioral analytics examples include the following: alerting security teams to large volumes of data exchanged between an internal database server and an IP address associated with an internal host that usually only communicates with the company’s external web services; or highlighting the exchange of large volumes of UDP traffic between a real-time communications application and an internal accounting application.

The visibility offered by DPD technologies helps security teams regain insight into encrypted malicious traffic, and networking teams regain visibility into performance problems (and in other areas as the two collaborate). More specifically, DPD can help identify the following instances of dwell time:

  • PowerShell attacks: PowerShell attacks are difficult to detect because they are fileless and executed directly to the memory of a device, leaving no signature for traditional antivirus tools to notice. They often happen through reverse shell, or remote shell which lets attackers open ports on the target’s machine. DPD identifies active keystrokes in traffic to examine the relationship of the Secure Shell (SSH) activity as correlated with other behaviors. When a hacker creates a reverse SSH shell, the new encryption service tunneled activity gets tracked and classified. This ability to track scripting engines and activities in the PowerShell is an important feature of DPD solutions.
  • Port scanning: DPD lets us scan across the network to look for indicators like a bidirectional connection to a port that was recently scanned, illegal port connections, or unusual port scanning activity. Attackers use port scanning in the reconnaissance stage of their attack, to better understand what they can exploit. Port scanning reveals if there are open ports, vulnerabilities, and whether firewalls are in place or not. DPD paired with machine learning algorithms can compare port scanning activities against a baseline of standard patterns, for example the average number of ports connected to from any given origin over a set period. These models allow security teams to detect anomalous network behaviors.
  • Data staging: DPD lets organizations profile different assets over time to establish thresholds and models for normal behavior. If a profiled asset, like a workstation begins to deviate from the baseline of data attributed to it for example: the workstation begins consuming more data than is typical (possibly data staging), DPD catches this irregularity and can intervene before data exfiltration occurs.
  • Exfiltration hidden in encrypted traffic: Attackers often use encrypted HTTP traffic through SSH to exfiltrate data because HTTP traffic is common and allowed on most networks. DPD combined with machine learning can fingerprint the activity to identify unknown internal or external IP addresses, unexpected data flows, excessive browser uploads, new subnets, new VLANS, and many other threat traits.

When selecting a network detection and response platform, ask some of these three questions about DPD capabilities:

  • Can the DPD platform correlate findings across multiple domains into a single platform? And, how are the findings presented? Correlating different alerts and data insights into streamlined reporting reduces “barking dog” alerts and alternately miscategorized benign alerts, not to mention saving engineers loads of time connecting the dots of disparate alerts.
  • Is it truly DPD? In most instances, DPD uses ML-informed technology to analyze traffic for threats without the need for decryption. Vendors may try to dress up DPI as DPD. Ask the specifics about what happens with and to the encrypted traffic. DPD uses threat intelligence to identify malicious content without ever directly accessing the data payload within the packets. DPI which uses decryption, is resource-intensive and raises compliance concerns in financial and medical industries.
  • How far can the DPD historical logs go back? CrowdStrike reports that the average dwell time in a network is 95 days, but there are certainly edge cases. Take the SolarWinds hack from 2019 where the dwell time was more than one year. For accurate post-mortem forensics of initial points of entry, the team has to maintain data storage for up to a year.

Threat actor activity continues to increase, and as encrypted traffic increases, so do the attacks hidden within it, which leads to rising dwell times. Leveraging the latest in DPD technology will let organizations conduct encrypted traffic analysis that improves visibility while reducing some of the challenges associated with traditional packet decryption. 

Thomas Pore, director of security products, LiveAction