Bridging The Detection & Response Gap

Despite the evolution of cyber threats, common practices associated with threat detection and incident response remain mostly unchanged. Failure to adapt or advance the software, systems, and approach to combatting attackers means many organisations rely on largely ineffective processes, procedures and third-party services.

Put simply, many organisations are not taking advantage of the capabilities, tooling and approaches now available to defensive security professionals. 

What Is The Detection & Response Gap?

The detection and response gap is the elapsed time between an organisation identifying indicators of malicious activity or compromise, and undertaking triage, containment, and response activity. This gap exists for several reasons – and it’s becoming more impactful. 

Most Managed Security Service Providers (MSSPs) prioritise detection over response. Containment and eradication of threats are not always included in their service offering and are often handed back to the client or a third party. Where response is included, it is often slow, hampered by the absence of joint operating procedures, poorly clarified roles and responsibilities and a limited understanding of what systems and functions are crucial to the client’s business.  

Further, attacker ‘dwell time’ (the amount of time attackers spends on a network before attempting to achieve their objective) is falling rapidly, rendering many typical detection and response solutions ineffective. 

A 2022 report from Mandiant estimated the median dwell time for a ransomware attack in the Americas and EMEA as just four days, and there is evidence in the wild of dwell times as short as 90 minutes. A few years ago, standard dwell time was weeks or months, with attackers persisting for long periods before executing an attack. By comparison, in its 2020 threat report, Mandiant reported a global median dwell time of 56 days, compared to a 78-day global median dwell time reported in the same publication in 2019. 

While falling dwell times were previously seen as positive (i.e. detection was improving, meaning attackers were persisting unnoticed for longer) the simple reality is that attackers today are moving much faster.

In many ways, this change is due to the ever-increasing maturity of the ransomware ecosystem. It indicates that initial access brokers (IABs) are highly synchronised with ransomware operators and that new information and access are acted upon quickly. There is less need to be stealthy and wait for the right opportunity when ransomware provides such an effective mechanism to “cash out” early. 

What does this mean for threat detection and response? In the previous decade, the most advanced and effective security strategies relied on an assumed breach mindset – recognising that compromise was inevitable and required proactive threat hunting for malicious activity inside the network in response.

Compromise is still inevitable, and an assumed breach mindset remains essential, but defenders no longer have the luxury of time to identify nascent threats. 

Understanding The Challenge

To tackle evolving cyber threats, organisations must be able to identify critical malicious actions with higher fidelity than ever before, with rapid and decisive containment and response to halt attacks before they can escalate into full-scale compromise.

Above all, organisations should assume compromise is inevitable – and plan accordingly. As end-to-end attacks conclude faster, interception early in the attack lifecycle is vital. With so much information in the form of logs and alerts presented to defenders in a typical enterprise environment, it can be challenging to accurately identify malicious activity.

The only way to counter threats is to execute clear, consistent analysis and investigations of relevant events and alerts before early indicators of malicious activity can mature while avoiding a noisy excess of alerts and becoming the boy (service) that cries wolf.

Today, defensive security practitioners are presented with abundant tools and feeds to help identify malicious activity and vulnerability. But with less time to spend consuming and investigating these feeds, an abundance of tools (when not leveraged as part of a cohesive defensive security framework) results in ‘making the haystack bigger’, leaving the needle of malicious activity even harder to find. Attackers will continue to win until it is cheaper and easier to defend than attack.

Overcoming the detection and response gap: five practical steps 

1.    Ensure good cyber hygiene and ensure a secure baseline:   Security fundamentals continue to provide an essential foundation for more tailored and targeted controls to function effectively. Without a secure baseline, it is impossible to reliably implement more intelligent or targeted controls. A reliable baseline ensures the ‘blast radius’ of a compromise is contained, and that disruptive and destructive cyber attacks don’t cripple the business beyond the initial area of infection.

At its core, good cyber hygiene means a well-architected and managed network with security fundamentals in place. For example, with tightly controlled identity and access management (ideally with role-based and just-in-time provision of permissions), and robust segregation and separation preventing system-wide compromise. Organisations should ensure broad visibility of assets that form their network and understand the pathways by which resources, systems, and information are accessed. In particular, understanding interconnectivity between network components and how cloud and third-party applications are integrated can highlight the potential impact and scale of a compromise. This also shows where additional controls are required to mitigate risk.

2.    Implement robust controls and toolsets to support human-driven security operations:   Good network visibility with automated prevention and detection controls is necessary to combat most generic threats, with a suitable toolset providing context and capability to perform network-wide identification, containment and response.  
While there are many powerful out-of-the-box tools, tuning and tailoring them to deliver specific advantages for defenders will always extract more value than with a generic deployment. Understanding a tool's value in terms of the specific role it will play and how its capabilities contribute to the wider security ecosystem is essential to avoid wasted spending.

The security stack must present clear, concise and actionable information for defenders and the capability to collect information and respond to network threats remotely. Robust autonomous prevention, detection and response to specific events is also vital and can alleviate manual overheads but is not yet a reliable replacement for human intervention when responding to a broader incident or pattern of events.

3.    Control the Battlefield:    'Attack paths' represent the most prevalent paths across your network that attackers must traverse to achieve their objectives. In a well-controlled network, there will be fewer clear-cut attack paths which illustrate the most likely ways attackers will traverse the network from a logical point of breach.

Realistically, only a subset of security controls will apply to these attack paths. This means high-fidelity detection alerts can be engineered to provide highly accurate indicators of malicious activity that correlate with a clear attacker objective and associated business impact.

An attack path-focused security approach is effective where there is a reliable baseline of controls. If the network is too porous, the number of possible attack paths will be too vast for them to ‘control the battlefield’. Thinking in terms of attack paths can help organisations redefine what determines asset criticality to better reflect its significance in the security ecosystem.

There will always be less secure network areas or areas which present more of a challenge in identifying the most prevalent attack paths. However, establishing ‘known unknowns’ is a valuable step toward improving security posture and can guide future improvement activities.

4.    Integrate first response for seamless triage and containment:   Most incident response services can be described as ‘post-mortem’, characterised by boots-on-the-ground incident management more aligned with damage limitation, clean-up, and rebuilding than with combating live, ‘hands-on-keyboard’ threats. As a result, attacks will likely be discovered in their latter stages, with minimal opportunity to intercept before damage occurs.    
By seamlessly integrating triage and initial containment with detection, otherwise referred to as ‘first response’, organisations can reduce the gap between detection and response to tackle nascent threats before they can mature into full-scale compromise. 

We encourage an ‘active’ response mindset - integrating response capabilities between vendor solutions and tooling in place and being prepared to leverage them as an extension of threat detection. Associating clear response use cases with key detections (such as those derived from attack paths) means decisive, predetermined response actions can be taken to contain and (where possible) eradicate the threat. 

Automated countermeasures are the optimal solution. Where this is not possible, prompting analysts to initiate steps from a predefined playbook can be just as effective - and can make the difference between partial compromise and business-wide catastrophe.

5.    Plan, rehearse and refine incident response:   A robust playbook of relevant incident scenarios and a well-drilled and practised team can make all the difference in a crisis. Today, cyber incident response is a business-wide undertaking, requiring critical operational functions and senior leadership to communicate and collaborate effectively.

However, even a successful response effort can result in partial compromise, with associated impact on the ability to operate normally. Organisations must plan and rehearse the response to specific high-risk incident scenarios (such as a full-scale ransomware compromise) and clearly understand their business continuity plans. 

To minimise incident impact, organisations should understand their impact tolerances (the maximum tolerable disruption to an important business service) and recovery time objectives (time a business must restore its processes to an acceptable service level) and undertake improvement projects to ensure risk is controlled.

A tailored and engaging crisis management exercise is an excellent trigger for organisations looking to practise incident response and highlight where work is required to understand and improve operational resilience. It is common for organisations, particularly in non-technology-focused industry sectors, to underestimate just how reliant they are on their digital systems and infrastructure.  

By focusing on these five core areas and continually evaluating both areas of strength and opportunities for improvement, organisations can minimise the detection and response gap and meaningfully improve their security posture through the ability to prevent, detect, respond, and recover from cyber attacks.

Matt Lawrence is Head of Defensive Security & and Dan Green is Head of Solutions at Jumpsec 

You Might Also Read: 

Outsourcing IT Systems & Data Management Can Be A False Economy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Ukraine’s Security Agency Says Russian Cyber Attacks Are Increasing
How Can SASE Boost Information Security? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Zentek Digital Investigations

Zentek Digital Investigations

Zentek has been providing digital forensics services to the public and private sector for computers and mobile devices since 2004.

AvePoint

AvePoint

AvePoint is an established leader in enterprise-class data management, governance, and compliance software solutions.

Alert Logic

Alert Logic

Alert Logic delivers unrivaled security for any environment, delivering industry-leading managed detection and response (MDR) and web application firewall (WAF) solutions.

Venable

Venable

Venable is an American Lawyer 100 law firm with nine offices across the USA, Practice areas include Cybersecurity.

Cybercom Group

Cybercom Group

Cybercom offers strategic advice, testing & quality assurance, security solutions, system development, integration, management and operation services.

Logsign

Logsign

Logsign is a Security Orchestration, Automation and Response (SOAR) platform with next-gen Security Information and Event Management (SIEM) solution.

California Cybersecurity Institute (CCI) - Cal poly

California Cybersecurity Institute (CCI) - Cal poly

The CCI provides a hands-on research and learning environment to explore new cyber technologies and train and test tactics alongside law enforcement and cyberforensics experts.

Serverless Computing

Serverless Computing

Serverless Computing London will help architects, developers and CIOs decide on the best path to a more efficient, scalable and secure computing future.

Sera-Brynn

Sera-Brynn

Sera-Brynn is one of the highest-ranked, pure-play cybersecurity compliance and advisory firms in the world.

Penacity

Penacity

Penacity, LLC provides strategic consulting technology services and Information Security Services to commercial and government organizations.

Information System Authority (RIA) - Estonia

Information System Authority (RIA) - Estonia

RIA ensures the interoperability of the state’s information system, organises activities related to information security, and handles security incidents in Estonian computer networks.

GlobalPass

GlobalPass

Covering 200+ countries with 78 000 databases, GlobalPass provides sophisticated facial biometrics verification and deep screening, delivering peace of mind to every client.

Infosec Cloud

Infosec Cloud

Infosec Cloud is a specialist Cyber Security company offering fully managed Training & Testing Services in addition to market leading Cyber Security technology and accredited professional services.

ESProfiler

ESProfiler

Enterprise Security Profiler. Empowering CISOs with clarity & confidence in their security programme by visualising capabilities, usage and spend against their key threat priorities.

Cyber Advisors

Cyber Advisors

Cyber Advisors offers customizable cyber security solutions and IT services for businesses of all sizes across the nation from experts you can trust.

CHERI Alliance

CHERI Alliance

CHERI Alliance is an industry initiative spearheading the global adoption of the Capability Hardware Enhanced RISC Instructions (CHERI) security technology across the computing industry.