How an organization can reduce cyber dwell time?
What is Dwell time in the cybersecurity world? Dwell time in cybersecurity means the period of time cyber criminals had access to your IT infra, with the power to exfiltrate data or to cause other damage they plan to do. It starts when an attacker enters your system and stays there till they leave themselves after performing the damage or you remove them. Therefore, Dwell Time is determined by adding Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR) and is usually measured in days.
Nowadays, many of the pragmatic organizations have started believing that even after implementing the finest of the controls, cyberattacks can still occur anytime, and it is important to take preventive measures. Controls to prevent the cyber-attacks are important but they can’t be the only security tactic that you implement, and it is very important to focus on detection, containment & eradication strategies as well to reduce the dwell time and eventually the impact of the breach on your organization.
According to the latest report by Mandiant, with adoption of advanced threat detection solutions, organizations continue to find and contain adversaries faster than in previous years. Over the past decade, there has been a marked reduction in median dwell time, from just over one year (2011) to just under one month (2020). In 2020, the global median dwell time dropped below one month for the first time. Many organizations are now detecting incidents in only 24 days, more than twice as fast as 2019.
While global median dwell time for incidents which were detected internally dropped to just 12 days, incidents with external notification sources came in at 73 days. Important point to note here is, these timings are average time and not the actual Dwell time for all the researched organizations. Also the dwell time depends a lot on the cybersecurity maturity of an organization & the people, process & technologies in place to protect, detect & respond to cyber threats. Many organizations have detected the threats that were present in their environment for more than a year before being discovered.
You may remain hopeful for a minimum dwell time because strict adherence to best practices of Cyber Security and tools may sooner or later detect the attacks present in the infrastructure but the time taken for the detection of the threats is a critical aspect for any organization.
Dwell time is not just a benchmark. It’s a proactive security principle and ideology that drives unified change across all security operations to achieve a common objective. Minimize the opportunity for a threat actor to cause damage to your organization. Our security experts have identified few practices / tips that can help an organization in reducing their dwell time.
Maintain Asset Inventory and Identify Crown jewels of your infrastructure
Maintaining Asset inventory is the first logical step for any organization starting to manage their cyber and privacy risks, because we cannot protect what we can’t see. Organizations should track all hardware / software assets and identify crown jewels of their infrastructure. These are the targets that attackers most frequently want to exploit. More granular control must be implemented on these systems.
Identify & mitigate related open risks
After you have identified “what to protect” in the previous step, the next logical step is to identify the open risks related to these assets & implement the required remediation plan accordingly. These open risks are what an attacker will exploit to gain access.
Elementary Security Control
The elementary step to ensure and implement robust security practice is to implement base controls, such as; preventing unauthorised software installation, restricting the administrative rights, implementing Network segmentation, enabling multi-factor authentication. These controls not only will prevent an attacker from gaining the access but they will also play a trap for the attacker & help an organization improving detection capabilities by raising alarm / recording & forwarding events / notification etc. These controls can then even help in containment or to eradicate the attacker quickly, reducing the dwell time.
Implement Hardening guidelines
Organization should ensure that all servers, workstations and network devices must be hardened before they are introduced for the production usage. Various hardening guidelines provided by recognized security organization like CIS can be referenced to prepare customized guidelines applicable to your infrastructure. Appropriate tools can be leveraged to automate the implementation, validation & enforcement. This makes it extremely difficult for threat actors to even initiate a Kill Chain & even record / log details related to attacker’s activities.
Update all your software regularly
Most of the outbreaks happen because of unpatched vulnerabilities or usage of older versions of software in the environment. Cyber criminals always look for a window and a point of entry to walk in and gain the access of your environment and not updated software may become that point of entry. So, it is necessary that you must maintain all your devices up-to-date and install the updates as soon as they become available.
Deploy ‘Zero Trust’ model
A zero-trust concept assumes that no one can be trusted in the organization network. In this model, meticulous network segmentation is implemented to prevent lateral movement of the threat vector with ease. Along with that each access is scrutinized to identify if it’s authorized & safe. These checks at network level, authentication, authorization level or at posture check level again offers the opportunity to detect the intruder at the early stage.
Granular Visibility by enabling Logging and Monitoring
Organizations should implement robust Logging and Monitoring functionality to have a clear visibility on what is happening in their infrastructure. Entire traffic going in all directions must be logged and monitored to increase the efficiency of the overall monitoring process. Logging and Monitoring helps organizations visualise what is happening in their infrastructure and by analysing the logs organization can detect an anomaly in the environment before it actually does any damage and becomes a security incident. Data collected as logs becomes very handy while managing and troubleshooting any security incidents or during forensics.
Use of Threat Intel
Organizations should subscribe for external threat intel. These feeds provide very valuable information about the major threat actors. These IOCs (Indicator Of Compromise) or TTPs (Tactics, Techniques, and Procedures) are gathered by the service providers after analysing tons of information coming from across the world. Therefore, threat Intel helps in detecting an attacker precisely at the early stage.
Follow sound Incident Response process
Organizations that have drafted & implemented a comprehensive Incident Response process can reduce their dwell time significantly. The logical steps given & clearly defined roles & responsibilities in an IR process enables an organization to react fast & appropriately to contain the threat coming from the attacker & it’s eradication.
Employee Awareness on Information Security
Human factor has been considered as the weakest link in the security chain. However if these humans are trained well & have been equipped with proper awareness about threats & cyber security practices, they can be the first line of defense for an organization. The users can identify the threat / suspicious activities, which may have been missed by techs in place & report back to the security team for further action. Employee awareness even enables them to act responsible & appropriately during an incident situation, thus helping the organization to reduce dwell time.
If you are looking for top cybersecurity consulting companies, which can help you improve the security posture of your organization & enable you to fight the modern cyber threats, then you can definitely trust us. We have a team of experts working for multiple enterprises and helping them to gain cyber security maturity.
Also, we are leading in the category of top VCISO in Delhi NCR because of our great work and latest security strategies. For more information, feel free to contact us and leverage our expertise to increase the security of your organization.