The cyberattacks reported by the media continue to highlight a common thread – many of the breaches have gone undetected for weeks, months and sometimes years – take the recent Wendy’s breach for example. We call this the Breach Detection Gap (BDG) or dwell time, and it is defined as the time elapsed between the initial breach of a network by an attacker and the discovery of that breach by the victim.
The latest report from FireEye cites dwell time as 146 days on average globally, and a whopping 469 days for the EMEA region. According to a Trustwave Report, 81% of reported intrusions are not detected by internal security processes but rather by news reports, law enforcement notifications, or external fraud monitoring. Unfortunately this trend does not show signs of slowing as internal security processes are unable to keep up with increasingly sophisticated and pervasive threats.
A closer look at some high profile breaches
The Wendy’s breach we recently blogged about is a good example. The breach started in the Fall of 2015; was initially reported by branches in February 2016; was announced in May 2016 citing 300 location impacted; with hundreds more of their locations in fact breached and only discovered/reported in early July – 1,025 total to be exact. The examples below offer a snapshot of additional high profile real-world attacks and the length of time elapsed before the breach was discovered. These well documented incidents cost the organizations affected millions in losses, regulatory fines and brand reputation.
Table 1: Breach Detection Gap Examples
Known as “persistent compromises” there are many motives for attackers trying to maintain stealthy long term access to a network. Whereas loud, transient attacks like crypto-locker, web defacement, denial of service, or smash and grabs can be easy to identify due to the immediate effect they have, persistent threats meet their objectives by maintaining stealthy long term access to the network.
Table 2: Persistent vs Non-persistent Compromises
While access may be obtained within seconds or minutes depending on the vulnerability exploited, mapping and navigating a large or complicated network to find the data or individuals the attacker is looking for can many times take days or weeks. Additionally, monitoring users on the newly compromised network for a period of time to learn internal operations is essential to an attacker’s success, as was demonstrated in the Sony attack. This however also gives network defenders an opportunity to disrupt and counter.
Closing the Gap with Threat Hunting
Although the BDG problem is complex, it exists primarily for two reasons:
- The growing sophistication of modern attackers.
- Current real-time security processes are ineffective at detecting post-compromise activity, especially as time passes after the initial attack.
The BDG problem has become so pervasive that many argue organizations should operate under the assumption that their respective networks will be penetrated, if they aren’t already. The U.S. Department of Defense adopted this premise several years ago, and in response, created “hunt teams”, which, at a basic level, consisted of trained incident responders and analysts who proactively and iteratively search critical networks and/or historical log data for signs of a missed compromise.
Threat hunting is differentiated from real-time intrusion detection, which works to prevent or detect attacks early in the attack cycle, by instead utilizing post-compromise detection techniques. Hunting is on the spectrum of incident response activities except it is done proactively, before you know there is a problem. The goal is to reduce the dwell time of attackers and remove them before they can cause further damage.
Download our white paper The Breach Detection Gap and Strategies to Close It to lean how threat hunting can help you identify and stop persistent compromises.