Matt Lawrence, Head of Defensive Security, and Dan Green, Head of Solutions, write about why compromise is inevitable – and the practical steps that organisations can take to build a security operating model capable of weathering the storm of cyber threats today.
Despite the evolution of cyber threats, the common practices associated with threat detection and incident response remain largely unchanged.
The failure to adapt or advance means that many organisations rely on processes, procedures, and third-party services which are not able to effectively combat the nature of the threats faced today. This results in many organisations failing to take advantage of the capabilities, tooling, and approaches now available to defensive security professionals.
In this article, we discuss some of the limitations of conventional detection and response services and highlight the characteristics of an effective approach, appropriate for modern cyber threats.
What is the detection and response gap?
The detection and response gap is defined as the time between an organisation identifying indicators of malicious activity or compromise, and undertaking triage, containment, and response activity.
This gap exists for a number of reasons – and it’s becoming more impactful.
Most MSSPs prioritise detection over response, where the containment and eradication of threats is not always included in the service offering and is often handed back to the client, or to a third-party. Where response is included, it is often slow moving, hampered by the absence of joint operating procedures, poorly clarified roles and responsibilities, and a limited understanding of what systems and functions are important to the client’s business.
Further, attacker ‘dwell time’ (the amount of time an attacker spends on a network before attempting to achieve their objective) is falling rapidly, rendering many typical detection and response solutions ineffective. A 2022 report from Mandiant estimated the median dwell time for a ransomware attack in the Americas and EMEA as just 4 days, and there is evidence in the wild of dwell times as short as 90 minutes. Just a few years ago, the standard dwell time was considered to be weeks or months, with attackers persisting for long periods of time before executing an attack. By comparison in its 2020 threat report, Mandiant reported a global median dwell time of 56 days, compared to a 78 day global median dwell time reported in the same publication in 2019.
Whilst falling dwell times were previously seen as positive (i.e. the ability to detect persistent actors was improving) the simple reality is that attackers today are moving much faster. In many ways, this change is due to the ever-increasing maturity of the ransomware ecosystem. It indicates that initial access brokers (IABs) are highly synchronised with ransomware operators and that new information and access is quickly acted upon. There is less need to be stealthy and wait for the right opportunity when ransomware provides such an effective mechanism to “cash out” early.
So what does this mean for threat detection and response? The most advanced and effective security strategies of the previous decade relied on an assumed breach mindset – recognising that compromise was inevitable, and requiring proactive threat hunting for malicious activity inside the network in response. Compromise is still inevitable, and an assumed breach mindset remains essential, but defenders no longer have the luxury of time to identify nascent threats.
Understanding the challenge
To tackle evolving cyber threats, organisation’s must be able to identify critical malicious actions with higher fidelity than ever before, with rapid and decisive containment and response to halt attacks before they can escalate into a full scale compromise.
But above all, organisations should assume that compromise is inevitable – and plan accordingly.
With end-to-end attacks concluding faster than ever before, interception early in the lifecycle of an attack is vital. With so much information in the form of logs and alerts presented to defenders in a typical enterprise environment, it can be very challenging to identify malicious activity with accuracy and filter out the noise.
As attackers operate in the ‘grey space’ where normal activity can seem suspicious in the same way that suspicious activity can seem normal, the only way to counter the threat is to execute clear and consistent analysis and investigations of relevant events and alerts before early indicators of malicious activity can mature, whilst avoiding a noisy excess of alerts and becoming the boy (service) that cries wolf.
Defensive security practitioners today are presented with an abundance of tools and feeds with which to identify malicious activity and vulnerability. But with less time to spend consuming and investigating these feeds, an abundance of tools when not leveraged as part of a cohesive defensive security framework simply results in ‘making the haystack bigger’, with the needle of malicious activity yet harder to find. Attackers will continue to win until it is cheaper and easier to defend than it is to attack.
Overcoming the detection and response gap in five practical steps
We’ve outlined five practical, outcome-based focus areas that organisations should explore in order to build an effective security operations function with the capability to minimise the detection and response gap.
This guidance shares commonalities with industry-recognised security frameworks but differs significantly in its focus on outcomes over compliance, resulting in a security operating model tailored to the specific requirements of the organisation.
1. Ensure good cyber hygiene and continually harden the network to provide a secure baseline.
Security fundamentals continue to provide an essential foundation for more tailored and targeted controls to function effectively. Without a secure baseline, it is impossible to reliably implement more intelligent or targeted controls. A reliable baseline also ensures that the ‘blast radius’ of a compromise can be contained, and that disruptive and destructive cyber attacks do not cripple the business beyond the initial area of infection.
At its core, good cyber hygiene means a well architected and managed network with the security fundamentals in place – for example with tightly controlled identity and access management (ideally with role-based and just-in-time provision of permissions), and robust segregation and separation preventing system-wide compromise.
Organisations should ensure broad visibility of what assets form their network, and understand the various pathways by which resources, systems, and information are accessed. In particular, understanding the level of interconnectivity between network components, and the ways in which cloud and third-party applications are integrated, can highlight the potential impact and scale of a compromise – and illustrate where additional controls are required to mitigate risk.
2. Implement a robust control base and toolset for prevention, detection, and response to support human-driven security operations.
Good visibility of the network, with automated prevention and detection controls across the footprint of the network (in particular covering core infrastructure such as servers and workstations), is necessary to combat the majority of generic threats, with a suitable toolset also providing the context and capability to perform network-wide identification, containment, and response.
While there are many powerful out-of-the-box tools, tuning and tailoring them to deliver specific advantages to defenders will always extract more value than with a generic deployment. Understanding the value of a tool in terms of a specific role it will play, and how its capabilities contribute to the wider security ecosystem, is essential to avoid wasted spending. Where tools already exist that do not present a clear advantage, or can not be leveraged to fill a known gap, organisations should consider removing them.
It is vital that the security stack presents clear, concise, and actionable information for defenders, as well as the capability to remotely collect information and respond to threats across the network. Robust autonomous prevention, detection, and response to specific events is also vital and can alleviate manual overheads, but is not yet a reliable replacement for human intervention when responding to a broader incident or pattern of events.
3. Narrow the field of focus using attack paths to ‘control the battlefield’.
‘Attack paths’ represent the most prevalent paths across your network that an attacker must traverse in order to achieve their objectives and/or cause severe damage to your business operations. In a well-controlled network, there will be a smaller number of clear-cut attack paths which illustrate the most likely ways that an attacker will traverse the network from a logical point of breach.
Realistically, only a subset of security controls will be applicable to these attack paths. This means that high-fidelity detection alerts can be engineered to provide a highly accurate indicator of malicious activity that correlates with a clear attacker objective and associated business impact.
An attack path focused security approach is fully effective where there is a reliable baseline of controls. If the network is too porous, the number of possible attack paths will be too vast for them to be meaningfully utilised to ‘control the battlefield’.
Attack paths are more concerned with understanding your critical business functions and how an attacker can impact them, rather than being a purely technical endeavour focused on protecting critical information assets or ‘crown jewels’. Assets which are not defined as critical from the business perspective can often be critical from an attacker’s perspective in terms of the way they look to traverse the network. Thinking in terms of attack paths can help organisations to redefine what determines asset criticality to better reflect its significance in the security ecosystem.
There will always be areas of the network that are less secure or present more of a challenge in identifying the most prevalent attack paths. However, establishing known unknowns is a valuable step toward improving security posture and can guide future improvement activities as per Points 1 and 2.
4. Integrate first response capabilities and processes to initiate seamless triage and containment.
The majority of incident response services on the market can be best described as ‘post-mortem’, characterised by boots-on-the-ground incident management aligned more with damage limitation, clean-up, and rebuilding than with combating live, ‘hands-on-keyboard’ threats. As a result, it is highly likely that attacks will be discovered in their latter stages, with minimal opportunity to intercept before the damage is done.
By seamlessly integrating triage and initial containment with detection, otherwise referred to as ‘first response’, organisations can reduce the gap between detection and response to tackle nascent threats before they can mature into a full-scale compromise.
JUMPSEC encourages an ‘active’ response mindset – integrating response capabilities between the various vendor solutions and tooling in place, and being prepared to leverage them as an extension of threat detection. Associating clear response use cases with key detections (such as those derived from attack paths) means that decisive, predetermined response actions can be taken to contain and where possible eradicate the threat. Automated countermeasures are the optimal solution, but where this is not possible, prompting an analyst to initiate steps from a predefined playbook can be just as effective and can make the difference between a partial compromise and business-wide catastrophe.
5. Plan, rehearse, and refine your incident response, business continuity, and disaster recovery plans to minimise the business impact of an incident.
A robust playbook of relevant incident scenarios and a well-drilled and practised team can make all the difference in a crisis. Today, the response to a cyber incident is a business-wide undertaking that requires all critical operational functions and senior leadership to effectively communicate and collaborate.
However, even a successful response effort can result in a partial compromise, with an associated impact upon the organisation’s ability to operate at a normal level. It is therefore essential that organisations plan and rehearse not just the response to specific high-risk incident scenarios (such as a full-scale ransomware compromise), but also have a clear understanding of their business continuity plans for key operational functions and their associated digital infrastructure.
To minimise the impact of an incident, organisations should understand their impact tolerances (the maximum tolerable level of disruption to an important business service) and recovery time objectives (the amount of time a business has to restore its processes at an acceptable service level after a disaster to avoid intolerable consequences associated with the disruption) and undertake improvement projects to ensure the risk is sufficiently controlled.
A tailored and engaging crisis management exercise is an excellent trigger for organisations looking to practise not just their response to a cyber incident, but also highlight where additional work is required to understand and improve the operational resilience of the business in relation to key systems. It is common for many organisations, particularly those not in technology-focused industry sectors, to lack an understanding of just how reliant they are on their digital systems and infrastructure.
By focusing on these five core areas and continually evaluating both areas of strength and opportunities for improvement, organisations can minimise the detection and response gap and meaningfully improve their security posture through the ability to prevent, detect, respond, and recover from cyber attacks.
Dan Green
Head of Solutions
As Head of Solutions at JUMPSEC, Dan is responsible for shaping the solutions that JUMPSEC offer, working with our clients to ensure we deliver the outcomes they need.
Matt Lawrence
Head of Defensive Security
As Head of Defensive Security at JUMPSEC, Matt is responsible for shaping and leading the defensive operations team for JUMPSEC.