Bridging The Detection & Response Gap

Uploaded on 2023-01-27 in TECHNOLOGY--Resilience, FREE TO VIEW

Despite the evolution of cyber threats, common practices associated with threat detection and incident response remain mostly unchanged. Failure to adapt or advance the software, systems, and approach to combatting attackers means many organisations rely on largely ineffective processes, procedures and third-party services.

Put simply, many organisations are not taking advantage of the capabilities, tooling and approaches now available to defensive security professionals. 

What Is The Detection & Response Gap?

The detection and response gap is the elapsed time between an organisation identifying indicators of malicious activity or compromise, and undertaking triage, containment, and response activity. This gap exists for several reasons – and it’s becoming more impactful. 

Most Managed Security Service Providers (MSSPs) prioritise detection over response. Containment and eradication of threats are not always included in their service offering and are often handed back to the client or a third party. Where response is included, it is often slow, hampered by the absence of joint operating procedures, poorly clarified roles and responsibilities and a limited understanding of what systems and functions are crucial to the client’s business.  

Further, attacker ‘dwell time’ (the amount of time attackers spends on a network before attempting to achieve their objective) is falling rapidly, rendering many typical detection and response solutions ineffective. 

A 2022 report from Mandiant estimated the median dwell time for a ransomware attack in the Americas and EMEA as just four days, and there is evidence in the wild of dwell times as short as 90 minutes. A few years ago, standard dwell time was weeks or months, with attackers persisting for long periods before executing an attack. By comparison, in its 2020 threat report, Mandiant reported a global median dwell time of 56 days, compared to a 78-day global median dwell time reported in the same publication in 2019. 

While falling dwell times were previously seen as positive (i.e. detection was improving, meaning attackers were persisting unnoticed for longer) the simple reality is that attackers today are moving much faster.

In many ways, this change is due to the ever-increasing maturity of the ransomware ecosystem. It indicates that initial access brokers (IABs) are highly synchronised with ransomware operators and that new information and access are acted upon quickly. There is less need to be stealthy and wait for the right opportunity when ransomware provides such an effective mechanism to “cash out” early. 

What does this mean for threat detection and response? In the previous decade, the most advanced and effective security strategies relied on an assumed breach mindset – recognising that compromise was inevitable and required proactive threat hunting for malicious activity inside the network in response.

Compromise is still inevitable, and an assumed breach mindset remains essential, but defenders no longer have the luxury of time to identify nascent threats. 

Understanding The Challenge

To tackle evolving cyber threats, organisations must be able to identify critical malicious actions with higher fidelity than ever before, with rapid and decisive containment and response to halt attacks before they can escalate into full-scale compromise.

Above all, organisations should assume compromise is inevitable – and plan accordingly. As end-to-end attacks conclude faster, interception early in the attack lifecycle is vital. With so much information in the form of logs and alerts presented to defenders in a typical enterprise environment, it can be challenging to accurately identify malicious activity.

The only way to counter threats is to execute clear, consistent analysis and investigations of relevant events and alerts before early indicators of malicious activity can mature while avoiding a noisy excess of alerts and becoming the boy (service) that cries wolf.

Today, defensive security practitioners are presented with abundant tools and feeds to help identify malicious activity and vulnerability. But with less time to spend consuming and investigating these feeds, an abundance of tools (when not leveraged as part of a cohesive defensive security framework) results in ‘making the haystack bigger’, leaving the needle of malicious activity even harder to find. Attackers will continue to win until it is cheaper and easier to defend than attack.

Overcoming the detection and response gap: five practical steps 

1.    Ensure good cyber hygiene and ensure a secure baseline:   Security fundamentals continue to provide an essential foundation for more tailored and targeted controls to function effectively. Without a secure baseline, it is impossible to reliably implement more intelligent or targeted controls. A reliable baseline ensures the ‘blast radius’ of a compromise is contained, and that disruptive and destructive cyber attacks don’t cripple the business beyond the initial area of infection.

At its core, good cyber hygiene means a well-architected and managed network with security fundamentals in place. For example, with tightly controlled identity and access management (ideally with role-based and just-in-time provision of permissions), and robust segregation and separation preventing system-wide compromise. Organisations should ensure broad visibility of assets that form their network and understand the pathways by which resources, systems, and information are accessed. In particular, understanding interconnectivity between network components and how cloud and third-party applications are integrated can highlight the potential impact and scale of a compromise. This also shows where additional controls are required to mitigate risk.

2.    Implement robust controls and toolsets to support human-driven security operations:   Good network visibility with automated prevention and detection controls is necessary to combat most generic threats, with a suitable toolset providing context and capability to perform network-wide identification, containment and response.  
While there are many powerful out-of-the-box tools, tuning and tailoring them to deliver specific advantages for defenders will always extract more value than with a generic deployment. Understanding a tool's value in terms of the specific role it will play and how its capabilities contribute to the wider security ecosystem is essential to avoid wasted spending.

The security stack must present clear, concise and actionable information for defenders and the capability to collect information and respond to network threats remotely. Robust autonomous prevention, detection and response to specific events is also vital and can alleviate manual overheads but is not yet a reliable replacement for human intervention when responding to a broader incident or pattern of events.

3.    Control the Battlefield:    'Attack paths' represent the most prevalent paths across your network that attackers must traverse to achieve their objectives. In a well-controlled network, there will be fewer clear-cut attack paths which illustrate the most likely ways attackers will traverse the network from a logical point of breach.

Realistically, only a subset of security controls will apply to these attack paths. This means high-fidelity detection alerts can be engineered to provide highly accurate indicators of malicious activity that correlate with a clear attacker objective and associated business impact.

An attack path-focused security approach is effective where there is a reliable baseline of controls. If the network is too porous, the number of possible attack paths will be too vast for them to ‘control the battlefield’. Thinking in terms of attack paths can help organisations redefine what determines asset criticality to better reflect its significance in the security ecosystem.

There will always be less secure network areas or areas which present more of a challenge in identifying the most prevalent attack paths. However, establishing ‘known unknowns’ is a valuable step toward improving security posture and can guide future improvement activities.

4.    Integrate first response for seamless triage and containment:   Most incident response services can be described as ‘post-mortem’, characterised by boots-on-the-ground incident management more aligned with damage limitation, clean-up, and rebuilding than with combating live, ‘hands-on-keyboard’ threats. As a result, attacks will likely be discovered in their latter stages, with minimal opportunity to intercept before damage occurs.    
By seamlessly integrating triage and initial containment with detection, otherwise referred to as ‘first response’, organisations can reduce the gap between detection and response to tackle nascent threats before they can mature into full-scale compromise. 

We encourage an ‘active’ response mindset - integrating response capabilities between vendor solutions and tooling in place and being prepared to leverage them as an extension of threat detection. Associating clear response use cases with key detections (such as those derived from attack paths) means decisive, predetermined response actions can be taken to contain and (where possible) eradicate the threat. 

Automated countermeasures are the optimal solution. Where this is not possible, prompting analysts to initiate steps from a predefined playbook can be just as effective - and can make the difference between partial compromise and business-wide catastrophe.

5.    Plan, rehearse and refine incident response:   A robust playbook of relevant incident scenarios and a well-drilled and practised team can make all the difference in a crisis. Today, cyber incident response is a business-wide undertaking, requiring critical operational functions and senior leadership to communicate and collaborate effectively.

However, even a successful response effort can result in partial compromise, with associated impact on the ability to operate normally. Organisations must plan and rehearse the response to specific high-risk incident scenarios (such as a full-scale ransomware compromise) and clearly understand their business continuity plans. 

To minimise incident impact, organisations should understand their impact tolerances (the maximum tolerable disruption to an important business service) and recovery time objectives (time a business must restore its processes to an acceptable service level) and undertake improvement projects to ensure risk is controlled.

A tailored and engaging crisis management exercise is an excellent trigger for organisations looking to practise incident response and highlight where work is required to understand and improve operational resilience. It is common for organisations, particularly in non-technology-focused industry sectors, to underestimate just how reliant they are on their digital systems and infrastructure.  

By focusing on these five core areas and continually evaluating both areas of strength and opportunities for improvement, organisations can minimise the detection and response gap and meaningfully improve their security posture through the ability to prevent, detect, respond, and recover from cyber attacks.

Matt Lawrence is Head of Defensive Security & and Dan Green is Head of Solutions at Jumpsec 

You Might Also Read: 

Outsourcing IT Systems & Data Management Can Be A False Economy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Ukraine’s Security Agency Says Russian Cyber Attacks Are Increasing
How Can SASE Boost Information Security? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Prewen

Prewen

Prewen provide solutions to protect sensitive data across the organisation.

Computer & Communications Industry Association (CCIA)

Computer & Communications Industry Association (CCIA)

CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government.

S21sec

S21sec

S21sec is a leading European pure play cybersecurity consultancy, services and solutions provider.

Sysmosoft

Sysmosoft

Sysmosoft specializes in providing highly secured telecommunication solutions for mobile devices for companies requiring protected access to sensitive data remotely.

Securepoint

Securepoint

Securepoint is the market leader in the development of professional “Unified Threat Management” solutions in Germany.

Infosec (T) Ltd

Infosec (T) Ltd

Infosec (T) Limited is an independent Tanzania based consultancy specializing in IT governance, information security and IT audit.

Cyber Police of Ukraine

Cyber Police of Ukraine

Cyber Police of Ukraine is a law enforcement agency within the the Ministry of Internal Affairs of Ukraine dedicated to combating cyber crime.

Secure-IC

Secure-IC

Secure-IC provide end-to-end, best-of-breed security expertise, solutions, and hardware & software technologies, for embedded systems and connected objects.

TrustMAPP

TrustMAPP

TrustMAPP automates cybersecurity & privacy assessments, with universal workflow, allowing teams to generate analytics and recommendations to align priorities for improvement.

GoSecure

GoSecure

GoSecure Managed Detection and Response helps all organizations reduce dwell time by preventing breaches before they happen.

JM Search

JM Search

JM Search’s Information Technology Executives Practice sources the most sought-after technology roles including CIO, CTO, CISO, CDO and other senior posts.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Liberman Networks

Liberman Networks

Liberman Networks is an IT solutions provider company that provides security, management, monitoring, BDR and cloud solutions.

Chartered Institute of Information Security (CIISec)

Chartered Institute of Information Security (CIISec)

CIISec is dedicated to helping individuals and organisations develop capability and competency in cyber security.

Accops Systems

Accops Systems

Accops enables secure and instant remote access to business applications from any device and network, ensuring compliant enterprise mobility.

Primary Guard

Primary Guard

Primary Guard provides IT solutions and computing technologies that help minimize impact from cyber threats, improve business efficiency and maintain essential functions during or after a disaster.