Maksim Kabakou - Fotolia

Security Think Tank: Reducing cyber attacker dwell time is critical

Why is reducing cyber attacker dwell time important, and how should it be tackled?

Imagine a burglar having the run of a house safe in the knowledge the owner is on holiday for a week and the alarm isn’t working; they are far more likely to explore the property in depth to pick off the most valuable items.

IT system breaches should be viewed in the same context. The longer it takes to detect an attack, the worse the consequences, whether that means larger amounts of confidential data being compromised, more funds stolen, or greater havoc being wreaked on the enterprise infrastructure – and potentially the systems of partners, suppliers and customers being infiltrated. 

In addition, the damage to an organisation’s reputation as a result of the hack will be longer-lasting and more business critical. This is why it is crucial to reduce intruder dwell time.

Start with good basic security. Fundamental security controls, such as regular patching and security updates, two-factor authentication for system logins and restricting administration access make it more difficult for a prospective hacker to access the system, increasing the likelihood that they will look elsewhere for an easier target.

Hardening servers, for example using encryption, authentication and firewalls, applies more rigid security layers and makes them less vulnerable to attacks. It also reduces the chance of a kill chain, whereby a series of events is initiated that results in the organisation’s infrastructure being fatally compromised.

Other preventative measures that help to stop casual attacks, include defence mechanisms specifically designed to identify undesirable behaviour early and with greater reliability. These include on-access scans that, by automatically scanning every time a new system connection occurs, quickly detect malware or other undesirable connections.

However, it is important to acknowledge that, as both technology and hacking techniques grow ever-more sophisticated, breaches will occur from time to time. Taking steps to prevent them happening as far as is possible, is obviously key, but detecting a breach and being ready to tackle it fast and effectively are also critical.

1. Detect that a breach has occurred

This requires installing (and regularly updating) the right detection software, such as security information and event management (SIEM) tools. The objective is to identify attacks and issue warning notifications that a suspected or actual breach has taken place, as well as expel them from the network.

Breach detection should include the ability to shut down the system immediately – firstly to stop the attack spreading but also to allow it to be investigated.

2. Prevent an attack spreading

Good network architecture helps to limit the spread of a virus or malware by isolating individual components and ensuring internal firewalls are in place. (A firewall is no longer a single layer between external and internal networks; internal versions protect more sensitive assets from unnecessary access, which may come from within the corporate network. Often this requires productive applications to be segregated from non-productive systems, or access to sensitive information being restricted to authorised users only.)

This can be supplemented with the proactive addition of network honeypots that tempt attackers into quarantine zones, which limit their ability to go elsewhere within the system. 

3. Identify the source of an attack quickly

The majority of attacks start within the corporate network, for example through employees inserting an untrusted USB device. Continuous endpoint monitoring is a major evolution in security posture, and critical for expedited incident response.

It enables administrators to quickly identify the exact source of the breach, be it an externally facing server or the identity of the specific laptop, inside the network where the breach occurred.

This heightened insight into the endpoint allows both malware and abnormal user behaviour to be detected more quickly. Organisations can reduce dwell time as well as provide forensic evidence that applies context and protects other organisation systems.

4. Engage and educate users

Implementing high tech cyber defence is key to prevent attacks and to protect the organisation from the damage they cause. But they are only effective if users understand the growing risk that advanced threats pose to the organisation.

Educational programmes help security professionals gain greater buy-in from end users, increasing the likelihood of changing risky behaviour. Training also means employees can identify the signs of a breach, such as unexpected performance issues, internet speed drops and flickering screens, as well as regard as suspicious ad hoc information requests from unusual sources.

Again, if employees can quickly detect the signs of an attack on their own systems and report it effectively to the system administrators, this can drastically reduce the dwell time of the attack and thus minimise the risk of disruption.

5. Use past behaviour to predict future attacks

Once inside the network, external attackers may masquerade as an internal source and are usually indistinguishable from legitimate users.

However, analysing a hacker’s behaviours and the routes taken through the system during previous attacks leaves vital clues, letting security professionals predict their future activity and equip themselves to anticipate, identify and isolate the next breach. In other words, a user accessing an application in an unorthodox way is likely to be suspicious.

Going back to the burglar analogy used at the beginning, visitors creeping through the garden and coming in through the back door, while everyone else enjoys a warm welcome at the front of the house, means they are likely to be unwanted. But knowing this means they can be intercepted and a theft prevented.

Read more on Hackers and cybercrime prevention