So often we see studies commissioned through cybersecurity firms that detail the average length of time that an APT (Advanced Persistent Threat) resides in a network prior to discovery. One recent report from the Ponemon Institute suggests that it takes an average of 98 days for an intrusion to be detected.
An APT is typically a more sophisticated attack. The term was created to describe attacks on large organizations and governments originating from advanced (nation state) adversaries. The origin of the term “APT” is generally attributed to the US Air Force. Classifying a threat as an APT versus another mundane piece of malware is a subjective exercise. Stuxnet was a paradigm changing event and is a great example of a highly engineered APT. Stuxnet was a highly targeted attack on the hardware used to operate the centrifuges in Iran’s nuclear program. Fast forward and today, malware has become more sophisticated, earning its APT classification.
When we actually stop to reflect on why dwell times are so high, the realization is that traditional prevention-based technologies face an incredible challenge when trying to identify a new threat. Traditional prevention-based approaches fall into two broad categories: signature-based and behavior/anomaly-based.
The signature-based approach served the anti-virus companies well in the early days of malware. In the 1990s, malware samples were shared openly across all major anti-virus company’s researchers, and so the problem was manageable. In the 2000s, Google turned on a massive e-commerce engine by monetizing the click through ads, and with that, an incredibly valuable new malware market was created: adware.
Adware was the weapon of choice to highjack clicks from legitimate advertisers and divert them to sites where the attacker got paid. This has fueled a dramatic increase in malware innovation that continues today, and shows no signs of slowing down. The challenge of finding samples of all the new malware created every day is a big challenge, but creating new signatures and getting them deployed effectively is an even bigger one. This gap is the theater where cybercriminals perform.
Behavior and anomaly-based approaches hold some promise, but as pure technologies, they fail. As I’ve written previously, technology hates grey. Grey is the result of something being unusual, but not necessarily threatening. Getting from grey to black or to white is an extremely difficult challenge for technology when dealing with threats for the first time. The result is often the de-tuning of anomaly/behavioral-based systems to the point where one could fairly question the value of deploying them in the first place.
But if you accept the limitations of a pure-technology approach to behavior and anomaly-based approaches and embrace the power of the trained human Security Operations Center (SOC) analyst, the result is a highly effective managed detection and response capability. That’s what we’ve done at eSentire.
One of the primary indicators of an APT is a “command and control connection” (C&C). This is a powerful capability for an attacker, because it enables him to evolve the capabilities of his weaponry remotely, as well as receive useful (and potentially valuable) information about his target. But it’s difficult for pure technology-based solutions to reliably and consistently identify a C&C connection. However, given the right context (additional information about the connection, all the way down to a full-packet capture archive of the conversation), a trained SOC analyst can quickly assess the situation, and either immediately recognize the threat, or pursue an investigation (hunting) that will bring ultimate clarity.
In our SOC, we see lots of unusual activity. But our model is about minimizing dwell time by proactively watching for the signs that something isn’t right. Our technology informs our SOC, and the actions our SOC takes informs our technology. It’s a virtuous cycle that ensures we can detect and respond to new threats, and quickly operationalize the new learnings so that the next time we see this threat, we do less work and take less time to deal with it.
Rinse and repeat.
Dwell times won’t meaningfully change until there is a more balanced approach to cybersecurity. Prevent the attacks you know about, but make sure you have the ability to hunt down the ones we’ve never seen before. That’s called hunting. Gartner calls it Managed Detection and Response.