Bridging The Detection & Response Gap

Despite the evolution of cyber threats, common practices associated with threat detection and incident response remain mostly unchanged. Failure to adapt or advance the software, systems, and approach to combatting attackers means many organisations rely on largely ineffective processes, procedures and third-party services.

Put simply, many organisations are not taking advantage of the capabilities, tooling and approaches now available to defensive security professionals. 

What Is The Detection & Response Gap?

The detection and response gap is the elapsed time between an organisation identifying indicators of malicious activity or compromise, and undertaking triage, containment, and response activity. This gap exists for several reasons – and it’s becoming more impactful. 

Most Managed Security Service Providers (MSSPs) prioritise detection over response. Containment and eradication of threats are not always included in their service offering and are often handed back to the client or a third party. Where response is included, it is often slow, hampered by the absence of joint operating procedures, poorly clarified roles and responsibilities and a limited understanding of what systems and functions are crucial to the client’s business.  

Further, attacker ‘dwell time’ (the amount of time attackers spends on a network before attempting to achieve their objective) is falling rapidly, rendering many typical detection and response solutions ineffective. 

A 2022 report from Mandiant estimated the median dwell time for a ransomware attack in the Americas and EMEA as just four days, and there is evidence in the wild of dwell times as short as 90 minutes. A few years ago, standard dwell time was weeks or months, with attackers persisting for long periods before executing an attack. By comparison, in its 2020 threat report, Mandiant reported a global median dwell time of 56 days, compared to a 78-day global median dwell time reported in the same publication in 2019. 

While falling dwell times were previously seen as positive (i.e. detection was improving, meaning attackers were persisting unnoticed for longer) the simple reality is that attackers today are moving much faster.

In many ways, this change is due to the ever-increasing maturity of the ransomware ecosystem. It indicates that initial access brokers (IABs) are highly synchronised with ransomware operators and that new information and access are acted upon quickly. There is less need to be stealthy and wait for the right opportunity when ransomware provides such an effective mechanism to “cash out” early. 

What does this mean for threat detection and response? In the previous decade, the most advanced and effective security strategies relied on an assumed breach mindset – recognising that compromise was inevitable and required proactive threat hunting for malicious activity inside the network in response.

Compromise is still inevitable, and an assumed breach mindset remains essential, but defenders no longer have the luxury of time to identify nascent threats. 

Understanding The Challenge

To tackle evolving cyber threats, organisations must be able to identify critical malicious actions with higher fidelity than ever before, with rapid and decisive containment and response to halt attacks before they can escalate into full-scale compromise.

Above all, organisations should assume compromise is inevitable – and plan accordingly. As end-to-end attacks conclude faster, interception early in the attack lifecycle is vital. With so much information in the form of logs and alerts presented to defenders in a typical enterprise environment, it can be challenging to accurately identify malicious activity.

The only way to counter threats is to execute clear, consistent analysis and investigations of relevant events and alerts before early indicators of malicious activity can mature while avoiding a noisy excess of alerts and becoming the boy (service) that cries wolf.

Today, defensive security practitioners are presented with abundant tools and feeds to help identify malicious activity and vulnerability. But with less time to spend consuming and investigating these feeds, an abundance of tools (when not leveraged as part of a cohesive defensive security framework) results in ‘making the haystack bigger’, leaving the needle of malicious activity even harder to find. Attackers will continue to win until it is cheaper and easier to defend than attack.

Overcoming the detection and response gap: five practical steps 

1.    Ensure good cyber hygiene and ensure a secure baseline:   Security fundamentals continue to provide an essential foundation for more tailored and targeted controls to function effectively. Without a secure baseline, it is impossible to reliably implement more intelligent or targeted controls. A reliable baseline ensures the ‘blast radius’ of a compromise is contained, and that disruptive and destructive cyber attacks don’t cripple the business beyond the initial area of infection.

At its core, good cyber hygiene means a well-architected and managed network with security fundamentals in place. For example, with tightly controlled identity and access management (ideally with role-based and just-in-time provision of permissions), and robust segregation and separation preventing system-wide compromise. Organisations should ensure broad visibility of assets that form their network and understand the pathways by which resources, systems, and information are accessed. In particular, understanding interconnectivity between network components and how cloud and third-party applications are integrated can highlight the potential impact and scale of a compromise. This also shows where additional controls are required to mitigate risk.

2.    Implement robust controls and toolsets to support human-driven security operations:   Good network visibility with automated prevention and detection controls is necessary to combat most generic threats, with a suitable toolset providing context and capability to perform network-wide identification, containment and response.  
While there are many powerful out-of-the-box tools, tuning and tailoring them to deliver specific advantages for defenders will always extract more value than with a generic deployment. Understanding a tool's value in terms of the specific role it will play and how its capabilities contribute to the wider security ecosystem is essential to avoid wasted spending.

The security stack must present clear, concise and actionable information for defenders and the capability to collect information and respond to network threats remotely. Robust autonomous prevention, detection and response to specific events is also vital and can alleviate manual overheads but is not yet a reliable replacement for human intervention when responding to a broader incident or pattern of events.

3.    Control the Battlefield:    'Attack paths' represent the most prevalent paths across your network that attackers must traverse to achieve their objectives. In a well-controlled network, there will be fewer clear-cut attack paths which illustrate the most likely ways attackers will traverse the network from a logical point of breach.

Realistically, only a subset of security controls will apply to these attack paths. This means high-fidelity detection alerts can be engineered to provide highly accurate indicators of malicious activity that correlate with a clear attacker objective and associated business impact.

An attack path-focused security approach is effective where there is a reliable baseline of controls. If the network is too porous, the number of possible attack paths will be too vast for them to ‘control the battlefield’. Thinking in terms of attack paths can help organisations redefine what determines asset criticality to better reflect its significance in the security ecosystem.

There will always be less secure network areas or areas which present more of a challenge in identifying the most prevalent attack paths. However, establishing ‘known unknowns’ is a valuable step toward improving security posture and can guide future improvement activities.

4.    Integrate first response for seamless triage and containment:   Most incident response services can be described as ‘post-mortem’, characterised by boots-on-the-ground incident management more aligned with damage limitation, clean-up, and rebuilding than with combating live, ‘hands-on-keyboard’ threats. As a result, attacks will likely be discovered in their latter stages, with minimal opportunity to intercept before damage occurs.    
By seamlessly integrating triage and initial containment with detection, otherwise referred to as ‘first response’, organisations can reduce the gap between detection and response to tackle nascent threats before they can mature into full-scale compromise. 

We encourage an ‘active’ response mindset - integrating response capabilities between vendor solutions and tooling in place and being prepared to leverage them as an extension of threat detection. Associating clear response use cases with key detections (such as those derived from attack paths) means decisive, predetermined response actions can be taken to contain and (where possible) eradicate the threat. 

Automated countermeasures are the optimal solution. Where this is not possible, prompting analysts to initiate steps from a predefined playbook can be just as effective - and can make the difference between partial compromise and business-wide catastrophe.

5.    Plan, rehearse and refine incident response:   A robust playbook of relevant incident scenarios and a well-drilled and practised team can make all the difference in a crisis. Today, cyber incident response is a business-wide undertaking, requiring critical operational functions and senior leadership to communicate and collaborate effectively.

However, even a successful response effort can result in partial compromise, with associated impact on the ability to operate normally. Organisations must plan and rehearse the response to specific high-risk incident scenarios (such as a full-scale ransomware compromise) and clearly understand their business continuity plans. 

To minimise incident impact, organisations should understand their impact tolerances (the maximum tolerable disruption to an important business service) and recovery time objectives (time a business must restore its processes to an acceptable service level) and undertake improvement projects to ensure risk is controlled.

A tailored and engaging crisis management exercise is an excellent trigger for organisations looking to practise incident response and highlight where work is required to understand and improve operational resilience. It is common for organisations, particularly in non-technology-focused industry sectors, to underestimate just how reliant they are on their digital systems and infrastructure.  

By focusing on these five core areas and continually evaluating both areas of strength and opportunities for improvement, organisations can minimise the detection and response gap and meaningfully improve their security posture through the ability to prevent, detect, respond, and recover from cyber attacks.

Matt Lawrence is Head of Defensive Security & and Dan Green is Head of Solutions at Jumpsec 

You Might Also Read: 

Outsourcing IT Systems & Data Management Can Be A False Economy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Ukraine’s Security Agency Says Russian Cyber Attacks Are Increasing
How Can SASE Boost Information Security? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Zscaler

Zscaler

Zscaler enables the world’s leading organizations to securely transform their networks and applications for a mobile and cloud first world.

First Response

First Response

First Response is a Cyber Incident Response and Digital Forensic Investigation company.

Cobalt Strike

Cobalt Strike

Cobalt Strike is penetration testing software designed to execute targeted attacks.

Rhebo

Rhebo

Rhebo Industrial Protector monitors and ensures the continuous, correct, and predictable operation of real-time Industrial Control Systems to prevent outages and reduce downtimes.

Sage Designs

Sage Designs

Sage Designs is a provider of SCADA, Security & Industrial Automation products and training programs.

Sentropi

Sentropi

Sentropi is an online protection solution against charge backs, account takeovers, identity thefts and online scams.

National Cyber Security Authority (NCA) - Saudi Arabia

National Cyber Security Authority (NCA) - Saudi Arabia

The NCA is the government entity in charge of cybersecurity in Saudi Arabia and serves as the national authority on its affairs.

Checksum Consultancy

Checksum Consultancy

Checksum Consultancy specializes in Information security, Risk management, and IT governance.

Halcyon Knights

Halcyon Knights

Halcyon Knights is a specialist executive search and IT recruitment agency in the APAC region. Areas of specialisation include cybersecurity.

Sectra Communications

Sectra Communications

Sectra successfully develops and sells cutting-edge solutions in the expanding niche segments of medical IT and cybersecurity.

Nemstar

Nemstar

Nemstar is a specialist in Information Security & Cyber Training with over 25 years' industry experience.

8com

8com

8com is an established Managed Security Service Provider (MSSP) with over 75 employees and customers in over 40 countries.

Carahsoft Technology Corp

Carahsoft Technology Corp

Carahsoft Technology is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets.

DeXpose

DeXpose

DeXpose is a hybrid dark/deep web monitoring and attack surface mapping platform to help you find compromised data or exposed assets related to your organization way before threat actors.

DataStealth

DataStealth

DataStealth is a data protection platform that allows organizations to discover, classify, and protect their most sensitive data and documents.

Reach Security

Reach Security

Reach is the first generative AI platform purpose-built to empower enterprise security teams. With Reach, organizations measure, manage, and improve their enterprise security posture at scale.