Five Tips to Reduce Dwell Time

Dwell time is arguably the most accurate indicator of an enterprise’s security. It can determine how good you are in finding and eliminating actual breaches. Some indicators are less reliable. For example, the number of breached systems might either indicate your systems are well protected or, it might mean there are gaps in your ability to identify intrusions. On the other hand, dwell time is critical for an attacker to reach its goal, because an attack must go through all the steps of a “Kill Chain”, which requires time. Dwell time typically ranges between 200 to 250 days.[i

Stealth is the number one tool in an attacker’s arsenal – a breached system should look and behave as normal as possible to avoid detection. To keep their activities under the radar, cyber attackers use common protocols and services to communicate with Command and Control centers, to avoid attracting attention of common detection methods. Using covert channels such as DNS exfiltration and posting innocuous looking messages or images to social media to be picked up by the attacker later are becoming increasingly common for avoiding detection.

Attackers have done a great job authoring malware that is very “low signal” in an effort to stay hidden. Enterprises on the other hand end up sorting through all the noise of the various security technologies they have in place to find that signal.  This is basic physics – if you design your detection scheme to be too sensitive to the signal it will get overwhelmed by the noise, giving nothing but endless false-positives that erode the confidence in the scheme itself.  On the flip side, if you design your detection scheme to be too insensitive, you will never find the signal that indicates the compromise.

Below are five basic tips to reduce dwell time.

1. Enterprises should co-evolve with the attackers and understand that traditional firewalls or signature-based detection methods will do little to protect against the new generation of threats.
2. As attackers are opting for indirect methods of communication through legitimate services, enterprises should focus their efforts on understanding their “normal” by closely monitoring internal and external traffic on their network. Most enterprises just capture external traffic through web proxies but have no visibility into the internal network.
3. Once the baseline is established, any deviation from expected behavior should be scrutinized further to look for signs of suspicious activity.
4. Traditional security best practices such as hardening all systems, performing risk management analysis and prioritizing the patching of critical and vulnerable systems consistently still goes a long way in shortening dwell time.
5. Enterprises should assume that they will be breached and prepare for it, which means that sufficient resources should be allocated into detection and mitigation as opposed to just focusing on prevention. A recent survey of over 300 enterprises conducted by UBM revealed that:
   • 93% of organizations use anti-virus and anti-malware tools
   • 82% use perimeter firewalls
   • 65% use intrusion preventions systems
   • 52% use unified threat management systems