Mandiant recently released it annual The State of Cyber Attacks report and there is some potentially good news for the industry. A surface reading of the numbers shows that the time for an enterprise to become aware of a breach (note the careful word choice here) fell 29% in 2015 to 146 days. Reducing breach detection time by nearly two months is a move in the right direction. But how excited should we be? There are two problems with this number.
- 53% of breaches actually had a 320-day average dwell times, while 47% averaged 56 days.
- Despite the decline, a 21-week dwell time on average or eight-week dwell time for the successful attack hunters is more than sufficient to inflict significant damage.
Active and Passive Discovery
Mandiant’s report offers us two categories of breach discovery. The active discovery is a breach detected by internal staff. Passive discovery is being notified of the breach by an external party. The latter is becoming aware of a breach without actually detecting it.
As a result, the average can be misleading. More than half of the companies in Mandiant’s analysis sample had breach dwell times exceeding 45 weeks. This is a bit longer than Premera’s 269 days or The Home Depot’s 150 days but less than some estimates for OPM of more than a year. However, information security professionals understand that averages don’t provide details. Some of these longer dwell times may be the result of more sophisticated attackers that were better able to hide their tracks while some of the shorter dwell times could be due to careless errors by the attackers combined with information security teams that acted quickly and correctly on the data.
Target revealed after its 2013 breach that its FireEye instance generated a critical malware alert that analysts incorrectly deprioritized for action. What most people don’t realize is that breach detection isn’t necessarily a binary situation. A breach alert, of which there may be many, must be validated. This is where the skill of analysts and the tools that provide breach contextualization become critical in properly classifying an alert.
Too Long to Dwell
The reduction in breach dwell times in 2015 is moving in the right direction but it is still far too long to keep enterprise assets secure. The report comments:
“Mandiant’s Red Team, on average, is able to obtain access to domain administrator credentials within three days of gaining initial access to an environment. Once domain administrator credentials are stolen, it’s only a matter of time before an attacker is able to locate and gain access to the desired information. This means that, in our experience, 146 days is at least 143 days too long.”
Or, 56 days is 53 days too long. Both dwell times are more than sufficient to determine the location of enterprise assets and their contents and execute data exfiltration or destruction.
Detection, Contextualization, Validation
Tools such as information security analytics address the problem of dwell time directly. First, analytics solutions such as IKANOW can crunch data and determine anomalies across systems that otherwise would remain undetected. Most security solutions operate within a defined silo of data, devices or applications. They are optimized to detect breaches within a specific domain. These solutions cannot match anomalous behavior that is only visible when analyzing data across these silo domains whereas analytics tools are designed for these challenges.
Second, breaches typically start off as alerts. They are then investigated to validate whether a breach is active and what actions should be initiated. It can be a difficult challenge to correctly characterize a breach as the Target team learned. As a result, reducing dwell time also requires that analysts have access to tools that provide sufficient context about the alert to enable them to quickly and accurately validate it as breach, threat or noise. IKANOW provides correlated search tools designed to take alerts from existing systems or from the analytics jobs and enable rapid contextualization for the analyst. The value of this feature is to help analysts make the right decisions because of their access to both internal and external data sources and to make those decisions much faster.
By Scott Raspa