Many organizations will be familiar with the Verizon Data Breach Investigations Report, (DBIR) that is issued each year. A reoccurring theme within the report each year is to record the average amount of time it takes an organization to identify an attack, (or data breach) from the initial point that the intruder gained access to the network. This is often referred to as the dwell time.
The initial time that it takes to compromise an asset is usually managed in seconds. For spear phishing, this effectively suggests that a user will either decide to click or not click a link in an e-mail within a few seconds of reading it.
The amount of time it typically takes for data to be exfiltrated after an initial incident is measured in days. This means that after the initial compromise, an attacker will be resident within the network for a number of days before attempting to exfiltrate data.
These two statistics in their own right tell us a lot. Organizations will need to review and resolve log, network and behavioral analytics over extended periods of time. Assuming that an attacker will exploit a user, and then be seen to compromise a core asset within a short period of time flies in the face of what the Verizon Data Breach report tells us. Instead, organizations will need to be able to correlate traffic and behavioral analytics over an extended period of time, maybe based on weeks or month at a time.
If an organization is able to detect the initial attack, or identify malicious or unusual behavior before the attacker attempts to exfiltrate data, then the dwell time will be reduced. In many respects, identifying the initial attack is often much easier for organizations to achieve, than identifying the follow on activity. This is largely due to the fact that organizations are traditionally better equipped to detect North-South attacks than they are at detecting East-West attacks.North-South, East-West explained
Historically organizations assumed that attackers compromised assets, pursuing a direct line of attack from the internet, all the way through to the core system. The internet was outside the organization and was classed as having a Northern orientation, whilst the core assets were inside the organization, potentially a number of layers deep away from the internet. These assets were classed as having a Southerly position, and were 180 degrees separated from the internet based adversaries. If the attack was perceived to be launched in a straight, linear direction from the internet, it was relatively easy to determine where to place the detection and response technology. It was simply placed on-path, between the adversary and the core assets.
However, in today’s current threat environment, fewer and fewer adversaries attack in a purely linear fashion. Instead, they are more inclined to take a flanking approach, targeting users, and from there undertaking reconnaissance, moving laterally, and traversing the network in an East-West trajectory. This approach, harvests information about people and process in the organization, and because it's traffic within the same user networks, its East-West trajectory makes it much more difficult for an organization to detect.So how to reduce the dwell time?
There are two separate approaches to reducing the dwell time of attackers that gain a foothold in a corporate network.
Prevent the initial foothold. As much as this is a difficult task, organizations should still invest time and effort in defending the perimeter. If they can prevent the initial foothold from occurring in a user workstation, or an internet facing server, then this effectively eliminates the need for looking at dwell time. With increasing levels of remote working, social media and cloud computing, protecting the perimeter 100% of the time is a bold ambition. However, it should always be a primary objective for any organizations that has a mature cyber security strategy.
Build processes and leverage technology that can help identify abnormal East-West traffic flows. This should be a focus for every organization, and it is the closest approach to really focusing on reducing an attackers dwell time.
There is no silver bullet for identifying malicious East-West traffic, however organizations should consider the following approaches:
- Build attack trees, and identify most likely attack paths
- Understand and document internal processes
- Conduct continuous internal reconnaissance activities, to identify sources of intelligence that could be used by an attacker that has access to internal resources
- Deploy User Based Analytic technology to identify normal and abnormaltraffic behavior
In a mature cyber security strategy, organizations will pursue Approach 1 and Approach 2 in unison. This multi-layered approach is much more likely to be effective at both preventing attackers and reducing their dwell time, should they achieve an initial foothold.How Nettitude can help
Nettitude provides a range of cyber security services, revolving around consulting, strategy setting and wider assurance based activities. We deliver security operations center maturity guidance to our clients, and provide consultation on how to maximize North-South and East-West detection capability. To find out more about how Nettitude can assist you, fill in the form below and a consultant will get in touch with you.