The amount of time that a cyberattacker can lie undiscovered in an organization’s systems or network can range from almost zero to years. Yes, years. It has recently been reported that the European Union’s (EU) Diplomatic Communications system has had thousands of messages intercepted over the past three years. The report says, however, that information marked as confidential and secret was not affected by the hack. Reducing dwell time throughout the "cyber kill chain" is an essential component of reducing the volume of cyberattacks and should be a key focus of enterprises.
There are seven stages in the cyber kill chain (originally developed by Lockheed Martin), and although the starting point for dwell time is frequently debated, Ovum’s view is that it begins with Stage 1, reconnaissance. At this point, an attacker is gathering information to launch a more serious attack and could already be in an organization’s networks and systems through an easily exploitable vulnerability, with a view to launching a more targeted attack. This is classified as a security incident where defenses have been breached but information or systems haven’t been compromised.
Following stage 1, attackers will then create the cyberattack weapon (stage 2, weaponization) and deliver the weapon (stage 3, delivery). Stage 4 (exploitation) is where dwell time picks up again, when a vulnerability is exploited using the recently created weapon. The target organization may have little or no idea that a vulnerability has been exploited and that an attacker is lingering in their systems and networks. This continues through stage 5 (installation), where the attacker installs the weapon, and stage 6 (command and control), where the attacker takes control of the weapon. Even when the attack is taking place, during stage 7 (actions on objectives), the attacker can continue to linger for however long it takes the enterprise to uncover the security breach. The longer that attackers spend in an organization’s environment, the more intelligence they will gather, with the likelihood of further breaches of information, systems, or processes either now or in the future.
Addressing attacker dwell time is important because under the EU General Data Protection Regulation (GDPR), which came into effect in May 2018, organizations must notify the relevant authority within 72 hours of a breach of personal data becoming evident. Having an attacker “dwelling” within your environment for days, weeks, months, or even longer does not give a good impression when it comes to demonstrating that best efforts have been made to protect the data of an EU citizen.
Enterprises must do more to reduce dwell time throughout the stages of the cyber kill chain. Security controls covering people, processes, and technology can be deployed to identify potentially unwanted forays into the organization. For example, technology controls can include deception technology, honeypots, and decoy systems. These are used to tempt attackers into areas in which their operations can be closely monitored, keeping them away from where they can do damage. Mature security functions will also plot possible attack paths to understand how a threat will attempt to navigate their systems and networks during an attack.
No single control can reduce dwell time, however, and a combination of layered security controls is essential.
Trends to Watch 2019: Cybersecurity, INT003-000295 (December 2018)
“Patching is crucial to address the cyber kill chain”, INT003-000286 (November 2018)
“Don’t let incidents and breaches lie undiscovered for months”,INT003-000151 (May 2018)
Maxine Holt, Research Director, Infrastructure Solutions