Combating hacker dwell time: Why mean time to detect (MTTD) alone can’t be trusted
MTTD, as things currently stand, cannot be relied upon exclusively as a metric to measure the effectiveness of data breach detection.
Gone are the days of smash-and-grab when it comes to network breaches. There was a time when hackers would breach a network, get whatever they could, and then get out before they got caught, leaving businesses to pick up the pieces, writes Gary Cox, Technical Director for Western Europe, Infoblox.
The tools used by threat actors are now far more sophisticated, allowing them to stay undetected within a target’s network for days, weeks, or even months at a time while they move laterally, harvesting data,stealing credentials, or encrypting data for ransom. This “dwell time” represents a huge risk for businesses, because they cannot fix what they are yet to find.
The industry measure for detecting dwell time - mean time to detect or MTTD - is not necessarily where the focus should lie. The very thing that makes most threats “advanced” today are the methods employed by threat actors to evade detection such as emulation, tunnelling, encrypting and more.
In fact, the ability to see malicious activity on a network has become so difficult that, according to Verizon’s 2022 Data Breach Investigations Report, “actor disclosure” - where threat actors intentionally reveal themselves - is the top method for “detecting” a breach. That means MTTD, as things currently stand, cannot be relied upon exclusively as a metric to measure the effectiveness of data breach detection. For MTTD to be valuable, businesses need to be doing all they can to identify threats rather than waiting for threats to expose themselves.
Don’t dwell on MTTD
We could say that a more reliable metric of an organisation’s security posture would be mean time to remediate (MTTR). This describes how quickly businesses are able to contain and recover after threats have been revealed or discovered.
After all, there are weaknesses in modern threat designs that can – and should – be exploited to increase MTTR. Today’s threats have become increasingly dependent on command and control (C2) communications to receive updates while dwelling on a target’s network. As organisations continue to turn to proactive DNS monitoring, they will have more opportunities to nullify a potential threat quickly regardless of its evasive measures.
However, catching a threat in the act of updating is not the same as proactive detection. So what can businesses do to ensure that they are the ones discovering threat activity, as opposed to simply finding out about them through “actor disclosure” and rushing to take remedial action? If businesses can ensure that they are the ones revealing threats – as opposed to threats revealing themselves when they launch an attack – MTTD could once again prove valuable as a KPI.
Reducing hackers’ dwell time
An organisation’s overall security posture now depends on shared real-time visibility – and if it cannot see or detect a threat, it cannot act. Even with the best remediation practices in place, if an organisation only learns of a threat because the threat actors decide to reveal themselves, the damage has already been done.
Businesses should be focusing on their ability to proactively monitor for activity throughout a threat’s lifecycle, not just when the initial ‘malware’ is being deployed. While businesses still need to make their networks as bulletproof as possible to outside threats, they must also watch intently for any signs of bad traffic or anomalous patterns within the network.
The earlier you see a threat the better. Tools like Security Information and Event Management systems (SIEMs) can help by collecting and analysing security events from different sources in real-time, and Security Orchestration, Automation and Response (SOAR) solutions can aid with some response activities. But neither tool provides any value if it lacks key information to highlight the significance of one event over another or provide the necessary information to support the relevant playbook. The real hero here is context. It’s one thing to block threats or send out alerts, but being able to explain why something is a threat, where it is (or was), and more, are the keys to real security intelligence.
Leveraging external threat intelligence
Basic security processes and best practices are good, but alone they are not enough. Regular security audits and penetration tests can be deployed to help security teams uncover hidden threats and reduce dwell time. If a business can simulate a real-world attack on a system or network, it can expose its own vulnerabilities and weaknesses and take appropriate action.
This allows security teams to evaluate their existing tools, policies and the level of collaboration seen between different teams. For instance, it may expose how well networking and security teams play together when gaming out a range of threat scenarios. But how valuable is this work if the business lacks the intelligence to discern modern, sophisticated threats?
This is where global threat intelligence becomes crucial. Take suspicious domain detection, for instance. A robust suspicious domain detection system will use real-time threat intelligence to identify and block potentially harmful websites that might be associated with phishing attacks, malware distribution, or other known threats.
There are also DNS security solutions that leverage machine learning algorithms to detect anomalies and potential threats, including advanced phishing methods such as lookalike domains. These tools can identify subtle differences in domain names that might otherwise go unnoticed, such as the use of alternative characters or slight misspellings that mimic legitimate domains.
In both cases, external threat intelligence is key to identifying and closing in on threats. If businesses are turning their focus inward, using methods such as penetration testing to uncover internal vulnerabilities, they should do so in a way that pools global threat intelligence to optimise their detection capabilities.
More and more reports, like IBM's “Cost of a Data Breach” report for 2022, highlight the growing cost of data breaches, with the average cost of a breach increasing to $4.96 million in the last 12 months. However, it’s not all bad news. The report also shows that reducing dwell time can significantly reduce the cost of a data breach, with businesses that contain a breach in less than 200 days saving over $1 million on average.
If businesses can expand and reframe their approach to threat detection through proactive discovery, automation, and real-time threat intelligence, they can pull ahead of the global MTTD race and focus on the part of MTTD that actually matters – detecting threats proactively rather than waiting for threats to reveal themselves.