advertisement

How long is too long to go undetected?

So often we see studies commissioned through cybersecurity firms that detail the average length of time that an APT (Advanced Persistent Threat) resides in a network prior to discovery. One 2016 study by the Ponemon Institute suggests that it takes an average of 98 days for an intrusion to be detected.

An APT is typically a more sophisticated attack. Created to describe attacks on large organizations and governments originating from advanced (nation state) adversaries, the term is generally attributed to the US Air Force. Classifying a threat as an APT versus another mundane piece of malware is a subjective exercise. Stuxnet was a paradigm changing event and is a great example of a highly engineered APT. Stuxnet was a highly targeted attack on the hardware used to operate the centrifuges in Iran's nuclear program. Fast forward to today, malware has become more sophisticated, earning its APT classification.

When we reflect on why dwell times are so high, the realization is that traditional prevention-based technologies face an incredible challenge when trying to identify a new threat by falling into two broad categories: signature-based and behavior/anomaly-based.

The signature-based approach served anti-virus companies well in the early days of malware. In the 1990s, malware samples were shared openly across all major anti-virus company's researchers, and so the problem was manageable. In the 2000s, Google turned on a massive e-commerce engine by monetizing the click through ads, and with that, an incredibly valuable new malware market was created: adware.

Adware was the weapon of choice to highjack clicks from legitimate advertisers and divert them to sites where the attacker got paid. Fueling a dramatic increase in malware innovation that continues today, it shows no signs of slowing down. The challenge of finding samples of all the new malware created every day is a big challenge, but creating new signatures and getting them deployed effectively is an even bigger one. This gap is the theater where cybercriminals perform.

Behavior and anomaly-based approaches hold some promise, but as pure technologies, they fail. Technology hates gray, and gray is the result of something being unusual, but not necessarily threatening. Getting from gray to black or to white is an extremely difficult challenge for technology when dealing with threats for the first time. The result is often the de-tuning of anomaly/behavioral-based systems to the point where one could fairly question the value of deploying them in the first place.

But if you accept the limitations of a pure-technology approach to behavior and anomaly-based approaches and embrace the power of the trained human Security Operations Center (SOC) analyst, the result is a highly effective managed detection and response capability.

One of the primary indicators of an APT is a "command and control connection" (C&C). This powerful capability enables an attacker to evolve the capabilities of his weaponry remotely, as well as receive useful (and potentially valuable) information about his target. It's difficult for pure technology-based solutions to reliably and consistently identify a C&C connection. But, given the right context (additional information about the connection, all the way down to a full-packet capture archive of the conversation), a trained SOC analyst can quickly assess the situation, and either immediately recognize the threat, or pursue an investigation (hunting).

The eSentire SOC see lots of unusual activity. But our model is about minimizing dwell time by proactively watching for the signs that something isn't right. Our technology informs our SOC, and the actions our SOC takes informs our technology. It's a virtuous cycle that ensures we can detect and respond to new threats, and quickly operationalize the new learnings so that the next time we see this threat, we do less work and take less time to mitigate.

Dwell times won't meaningfully change until there is a more balanced approach to cybersecurity. Prevent the attacks you know about, but make sure you have the ability to hunt down the ones we've never seen before.

• Mark McArdle is chief technology officer at eSentire. Reach him at mark.mcardle@esentire.com.

Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.