Bridging The Detection & Response Gap

Despite the evolution of cyber threats, common practices associated with threat detection and incident response remain mostly unchanged. Failure to adapt or advance the software, systems, and approach to combatting attackers means many organisations rely on largely ineffective processes, procedures and third-party services.

Put simply, many organisations are not taking advantage of the capabilities, tooling and approaches now available to defensive security professionals. 

What Is The Detection & Response Gap?

The detection and response gap is the elapsed time between an organisation identifying indicators of malicious activity or compromise, and undertaking triage, containment, and response activity. This gap exists for several reasons – and it’s becoming more impactful. 

Most Managed Security Service Providers (MSSPs) prioritise detection over response. Containment and eradication of threats are not always included in their service offering and are often handed back to the client or a third party. Where response is included, it is often slow, hampered by the absence of joint operating procedures, poorly clarified roles and responsibilities and a limited understanding of what systems and functions are crucial to the client’s business.  

Further, attacker ‘dwell time’ (the amount of time attackers spends on a network before attempting to achieve their objective) is falling rapidly, rendering many typical detection and response solutions ineffective. 

A 2022 report from Mandiant estimated the median dwell time for a ransomware attack in the Americas and EMEA as just four days, and there is evidence in the wild of dwell times as short as 90 minutes. A few years ago, standard dwell time was weeks or months, with attackers persisting for long periods before executing an attack. By comparison, in its 2020 threat report, Mandiant reported a global median dwell time of 56 days, compared to a 78-day global median dwell time reported in the same publication in 2019. 

While falling dwell times were previously seen as positive (i.e. detection was improving, meaning attackers were persisting unnoticed for longer) the simple reality is that attackers today are moving much faster.

In many ways, this change is due to the ever-increasing maturity of the ransomware ecosystem. It indicates that initial access brokers (IABs) are highly synchronised with ransomware operators and that new information and access are acted upon quickly. There is less need to be stealthy and wait for the right opportunity when ransomware provides such an effective mechanism to “cash out” early. 

What does this mean for threat detection and response? In the previous decade, the most advanced and effective security strategies relied on an assumed breach mindset – recognising that compromise was inevitable and required proactive threat hunting for malicious activity inside the network in response.

Compromise is still inevitable, and an assumed breach mindset remains essential, but defenders no longer have the luxury of time to identify nascent threats. 

Understanding The Challenge

To tackle evolving cyber threats, organisations must be able to identify critical malicious actions with higher fidelity than ever before, with rapid and decisive containment and response to halt attacks before they can escalate into full-scale compromise.

Above all, organisations should assume compromise is inevitable – and plan accordingly. As end-to-end attacks conclude faster, interception early in the attack lifecycle is vital. With so much information in the form of logs and alerts presented to defenders in a typical enterprise environment, it can be challenging to accurately identify malicious activity.

The only way to counter threats is to execute clear, consistent analysis and investigations of relevant events and alerts before early indicators of malicious activity can mature while avoiding a noisy excess of alerts and becoming the boy (service) that cries wolf.

Today, defensive security practitioners are presented with abundant tools and feeds to help identify malicious activity and vulnerability. But with less time to spend consuming and investigating these feeds, an abundance of tools (when not leveraged as part of a cohesive defensive security framework) results in ‘making the haystack bigger’, leaving the needle of malicious activity even harder to find. Attackers will continue to win until it is cheaper and easier to defend than attack.

Overcoming the detection and response gap: five practical steps 

1.    Ensure good cyber hygiene and ensure a secure baseline:   Security fundamentals continue to provide an essential foundation for more tailored and targeted controls to function effectively. Without a secure baseline, it is impossible to reliably implement more intelligent or targeted controls. A reliable baseline ensures the ‘blast radius’ of a compromise is contained, and that disruptive and destructive cyber attacks don’t cripple the business beyond the initial area of infection.

At its core, good cyber hygiene means a well-architected and managed network with security fundamentals in place. For example, with tightly controlled identity and access management (ideally with role-based and just-in-time provision of permissions), and robust segregation and separation preventing system-wide compromise. Organisations should ensure broad visibility of assets that form their network and understand the pathways by which resources, systems, and information are accessed. In particular, understanding interconnectivity between network components and how cloud and third-party applications are integrated can highlight the potential impact and scale of a compromise. This also shows where additional controls are required to mitigate risk.

2.    Implement robust controls and toolsets to support human-driven security operations:   Good network visibility with automated prevention and detection controls is necessary to combat most generic threats, with a suitable toolset providing context and capability to perform network-wide identification, containment and response.  
While there are many powerful out-of-the-box tools, tuning and tailoring them to deliver specific advantages for defenders will always extract more value than with a generic deployment. Understanding a tool's value in terms of the specific role it will play and how its capabilities contribute to the wider security ecosystem is essential to avoid wasted spending.

The security stack must present clear, concise and actionable information for defenders and the capability to collect information and respond to network threats remotely. Robust autonomous prevention, detection and response to specific events is also vital and can alleviate manual overheads but is not yet a reliable replacement for human intervention when responding to a broader incident or pattern of events.

3.    Control the Battlefield:    'Attack paths' represent the most prevalent paths across your network that attackers must traverse to achieve their objectives. In a well-controlled network, there will be fewer clear-cut attack paths which illustrate the most likely ways attackers will traverse the network from a logical point of breach.

Realistically, only a subset of security controls will apply to these attack paths. This means high-fidelity detection alerts can be engineered to provide highly accurate indicators of malicious activity that correlate with a clear attacker objective and associated business impact.

An attack path-focused security approach is effective where there is a reliable baseline of controls. If the network is too porous, the number of possible attack paths will be too vast for them to ‘control the battlefield’. Thinking in terms of attack paths can help organisations redefine what determines asset criticality to better reflect its significance in the security ecosystem.

There will always be less secure network areas or areas which present more of a challenge in identifying the most prevalent attack paths. However, establishing ‘known unknowns’ is a valuable step toward improving security posture and can guide future improvement activities.

4.    Integrate first response for seamless triage and containment:   Most incident response services can be described as ‘post-mortem’, characterised by boots-on-the-ground incident management more aligned with damage limitation, clean-up, and rebuilding than with combating live, ‘hands-on-keyboard’ threats. As a result, attacks will likely be discovered in their latter stages, with minimal opportunity to intercept before damage occurs.    
By seamlessly integrating triage and initial containment with detection, otherwise referred to as ‘first response’, organisations can reduce the gap between detection and response to tackle nascent threats before they can mature into full-scale compromise. 

We encourage an ‘active’ response mindset - integrating response capabilities between vendor solutions and tooling in place and being prepared to leverage them as an extension of threat detection. Associating clear response use cases with key detections (such as those derived from attack paths) means decisive, predetermined response actions can be taken to contain and (where possible) eradicate the threat. 

Automated countermeasures are the optimal solution. Where this is not possible, prompting analysts to initiate steps from a predefined playbook can be just as effective - and can make the difference between partial compromise and business-wide catastrophe.

5.    Plan, rehearse and refine incident response:   A robust playbook of relevant incident scenarios and a well-drilled and practised team can make all the difference in a crisis. Today, cyber incident response is a business-wide undertaking, requiring critical operational functions and senior leadership to communicate and collaborate effectively.

However, even a successful response effort can result in partial compromise, with associated impact on the ability to operate normally. Organisations must plan and rehearse the response to specific high-risk incident scenarios (such as a full-scale ransomware compromise) and clearly understand their business continuity plans. 

To minimise incident impact, organisations should understand their impact tolerances (the maximum tolerable disruption to an important business service) and recovery time objectives (time a business must restore its processes to an acceptable service level) and undertake improvement projects to ensure risk is controlled.

A tailored and engaging crisis management exercise is an excellent trigger for organisations looking to practise incident response and highlight where work is required to understand and improve operational resilience. It is common for organisations, particularly in non-technology-focused industry sectors, to underestimate just how reliant they are on their digital systems and infrastructure.  

By focusing on these five core areas and continually evaluating both areas of strength and opportunities for improvement, organisations can minimise the detection and response gap and meaningfully improve their security posture through the ability to prevent, detect, respond, and recover from cyber attacks.

Matt Lawrence is Head of Defensive Security & and Dan Green is Head of Solutions at Jumpsec 

You Might Also Read: 

Outsourcing IT Systems & Data Management Can Be A False Economy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Ukraine’s Security Agency Says Russian Cyber Attacks Are Increasing
How Can SASE Boost Information Security? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Oxygen Forensics

Oxygen Forensics

Oxygen Forensics offer the most advanced forensic data examination tools for mobile devices and cloud services.

CDNetworks

CDNetworks

CDNetworks is a global content delivery network with a fully integrated cloud security solution, offering unparalleled speed, security and reliability for the almost instant delivery of web content.

Jumpsec

Jumpsec

Jumpsec provides penetration testing, security assessments, social engineering testing, cyber incident response, training and consultancy services.

Anomali

Anomali

Anomali delivers intelligence-driven cybersecurity solutions to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation.

Infosec (T) Ltd

Infosec (T) Ltd

Infosec (T) Limited is an independent Tanzania based consultancy specializing in IT governance, information security and IT audit.

authUSB

authUSB

authUSB Safe Door is a tool that provides secure access to the content of USB devices that circulate in organizations.

Cyan Securiy Group

Cyan Securiy Group

Cyan provide best-in-class cyber security solutions for mobile Internet and mobile devices that are extremely effective and highly intuitive in their use.

Root9B (R9B)

Root9B (R9B)

R9B offers advanced cybersecurity products, services, and training to enhance the way organizations protect their networks.

astarios

astarios

astarios provide near-shore software development services including secure software development (DevSecOps), quality assurance and testing.

ClassNK Consulting Service (NKCS)

ClassNK Consulting Service (NKCS)

ClassNK Consulting provides consulting services to the maritime industry with a focus on safety, security and compliance.

Police CyberAlarm

Police CyberAlarm

Police CyberAlarm is a free tool to help members understand and monitor malicious cyber activity. This service is made up of two parts; monitoring and vulnerability scanning.

TryHackMe

TryHackMe

TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. We have content for both complete beginners and seasoned hackers.

VISTA InfoSec

VISTA InfoSec

VISTA InfoSec is a global Information Security Consulting firm with offices based in US, UK, Singapore and India.

Siren

Siren

Siren provides the leading Investigative Intelligence Platform to some of the world’s leading Law Enforcement, National Security and Cyber threat investigators.

Issue53

Issue53

We empower organizations to thrive in the digital landscape. Strengthen your defenses, enhance resilience – Choose Issue53 for a secure and future-ready IT environment.

SixMap

SixMap

SixMap is a continuous threat exposure management platform that automatically provides comprehensive enterprise visibility, contextual threat intelligence, and a suite of remediation actions.