Approaching Zero Dwell Time: A Strategy for Finding and Stopping Attackers Before They Do Damage

The trouble with dwell time

Dwell time, the period between when an attack occurs and when it is discovered, continues to be a serious problem for security professionals. The most recent  Ponemon cost of a data breach study estimates the average dwell time for malicious attacks is now at 229 days — a long time for hacker activity to proceed unchecked. In fact, the term “dwell time” is somewhat misleading, since it implies the malware or exploit is sitting idly, waiting for you to find it. On the contrary, dwell time is the criminal hacker’s best friend because it provides a window of opportunity for lateral movement and expanding the scope of their malicious operations.

Lateral movement describes the progressive actions an adversary takes to sustain persistence after gaining access to your network. It enables all sorts of damaging activities, including gaining access to other machines, escalating credentials, exposing information on your network infrastructure and hierarchy,  and exfiltrating data. The bottom line is, the more dwell time, the more potential for serious consequences, some of which were discussed in a previous blog on the causes of dwell time.

To help illustrate how out-of-control dwell times can lead to significant damage, here are actual dwell times from a few high profile breaches we should all remember:

  • Home Depot: 5 months
  • Michaels Stores: 8 months
  • PF Chang’s: 11 months
  • Sony: one year
  • U.S. Office of Personnel Management: one year

The losses incurred in these breaches ranged from scores of millions of records to an estimated 10TB of data lost in the Sony breach.

Steps to reducing dwell time and eliminating lateral movement

Considering the link between highly successful breaches and protracted dwell times, there are critical steps you can and should take to strengthen your defenses and diminish or eliminate dwell time and its consequences.

Step One: Update your endpoint security  prevention

Modern adversaries count on the fact that many organizations continue to rely on legacy or standard security solutions — the kind of technology that is easily bypassed by modern hacker tools. In fact, fileless, malware-free threats now comprise 51 percent of all cyberattacks, according to the 2017 Verizon DBIR (Data Breach Investigations Report). These potentially damaging attacks typically aren’t detected by legacy AV. They “hide in plain sight” by exploiting trusted operating system processes such as Windows Management Instrumentation (WMI) and Windows PowerShell. Reevaluating your security strategy and ensuring you have the most effective security approach possible — one that includes both prevention technology to stop intrusion attempts and full EDR (endpoint detection and response) to automatically detect suspicious activity. Having both capabilities in a single agent is a valuable first step.

Step Two: Proactively hunt for advanced threats

Many organizations have been the victims of breaches, not because they weren’t alerted, but because they had too many alerts to investigate. Over-alerting and an abundance of false positives can result in alert fatigue. If your security solutions are delivering too many false positives, or you are getting alerts with no context and no way to prioritize them, it’s just a matter of time before a critical alert gets missed. A SANS Institute evaluation of CrowdStrike® notes the significance of having “real experts proactively look at what is occurring in your environment and sending detailed alerts to your team when unusual activity happens in the network.” Consider augmenting your internal teams with a security solution that provides hands-on expert threat hunting that can monitor proactively for hidden threats and minimize false positives, while providing prioritization to ensure the most critical alerts are addressed immediately.

Step Three: Ensure security hygiene

Threat vectors that exploit vulnerabilities such as outdated or unpatched systems and software, or unwanted apps, can only work if there are vulnerable targets present. The recent WannaCry ransomware attack that struck in over 150 countries used a Microsoft Windows exploit called EternalBlue (patched by MS17-010) that enables the sharing of files, which is how the ransomware spread. Other threats that exploit vulnerabilities can remain hidden in your environment for long periods of time before becoming active. Organizations that fail to apply patches and updates because they don’t have sufficient visibility or insight across all their endpoints will continue to be subject to such exploits.

A new approach

 The CrowdStrike Falcon® platform offers a wide range of integrated security solutions that meet the criteria outlined above by stopping breaches before an attack can succeed — reducing or eliminating dwell time and the associated lateral movement that can jeopardize your organization’s most valuable assets. The Falcon platform’s key features include:

  • Falcon endpoint protection that combines  next-gen AV, endpoint detection and response (EDR), behavioral analytics, machine learning and managed hunting. CrowdStrike’s cloud-based delivery provides real-time protection online or off, with zero performance impact on endpoints.
  • The Falcon platform includes a  security hygiene solution that provides comprehensive visibility across your environment, delivering real-time information about all active applications, systems and users in your environment. You receive instant alerts when unauthorized systems and applications are identified, allowing you to quickly take action.
  • As part of the CrowdStrike platform,  Falcon OverWatch™ adds a team of expert threat hunters who investigate 24/7 and advise on potential malicious activity in your environment, providing hands-on analysis to augment your in-house security team. Leveraging the vast stores of threat data aggregated in the CrowdStrike Threat Graph™ allows the OverWatch team to deliver actionable information that enables immediate mitigation and reduced time-to-resolution, stopping breaches before dwell time becomes an issue and eliminating lateral movement.

To learn more about how the CrowdStrike Falcon® platform reduces dwell time and stops breaches, take Falcon for a test drive.

Related Content