The Latest BlueCat Networks News
Product and Solution Information, Press Releases, Announcements
|Five Tips to Reduce Dwell Time|
|Posted: Mon Aug 08, 2016 09:17:32 AM|
Written by Cuneyt Karul, Scott Penney and Humayun Wahab
Dwell time is arguably the most accurate indicator of an enterprise’s security. It can determine how good you are in finding and eliminating actual breaches. Some indicators are less reliable. For example, the number of breached systems might either indicate your systems are well protected or, it might mean there are gaps in your ability to identify intrusions. On the other hand, dwell time is critical for an attacker to reach its goal, because an attack must go through all the steps of a “Kill Chain”, which requires time. Dwell time typically ranges between 200 to 250 days.
Stealth is the number one tool in an attacker’s arsenal – a breached system should look and behave as normal as possible to avoid detection. To keep their activities under the radar, cyber attackers use common protocols and services to communicate with Command and Control centers, to avoid attracting attention of common detection methods. Using covert channels such as DNS exfiltration and posting innocuous looking messages or images to social media to be picked up by the attacker later are becoming increasingly common for avoiding detection.
Attackers have done a great job authoring malware that is very “low signal” in an effort to stay hidden. Enterprises on the other hand end up sorting through all the noise of the various security technologies they have in place to find that signal. This is basic physics – if you design your detection scheme to be too sensitive to the signal it will get overwhelmed by the noise, giving nothing but endless false-positives that erode the confidence in the scheme itself. On the flip side, if you design your detection scheme to be too insensitive, you will never find the signal that indicates the compromise.
Below are five basic tips to reduce dwell time.
To see the full results of the survey, watch our webinar now: DNS: Are Security & Complexity Really Mutually Exclusive?