Written by: Carolyn Crandall, Chief Deception Officer and CMO – Dark Reading recently reported on a new Defense Advanced Research Projects Agency (DARPA)-funded research project at Georgia Tech aimed at reducing dwell time. The $12.8 million project, known as “Gnomon,” will look to establish new methods for faster threat detection and network cleanup. Funding for this kind of project could not come at a more critical time.
Although median dwell time had been falling steadily over the past few years, the number has plateaued. According to research from Mandiant, global average dwell time fell from 146 days in 2015 to 99 days in 2016. However, it ticked slightly upward last year, reaching 101 days and continues to be exponentially higher outside of the United States. That is more than enough time for even a moderately capable attacker to gain a full understanding of a network and complete a cyber heist, ransomware attack or cause disruption to services.
There is perhaps no one metric that organizations should follow more closely and give more scrutiny than dwell time, and the reason most enterprises don’t is simple: Because they often just don’t know. Equally concerning is that this year’s Mandiant report found that nearly half of surveyed organizations who were attacked went on to experience a subsequent attack the following year. Detecting the lateral movement of in-network threats can be quite complex and often alerts arise but are lost in a flood of other data feeds. Many organizations are simply unaware of threats in their network and all too often learn too late that they’ve been breached. Many of those breached will also lack the tools necessary to completely eradicate the threat and prevent an attack from happening again. The remedy lies in early detection, fast response, and in full remediation – to disrupt the attackers before they can cause any damage, close off that avenue of attack, and purge all artifacts and access hidden by the attacker.
The Gnomon project is promising. For starters, it is rootedin the stark reality that breaches are inevitable, and it focuses exclusively on the fact that solely investing in prevention is not practical. The project aims to establish a process that examines the behavior of the devices and systems attached to the network, determines when something exhibits suspicious behavior, and immediately begins remediation upon detection.
The best way to significantly cut dwell time is by adopting an Active Defense with deception-based detection technology that is designed to confuse an attacker into revealing themselves during early reconnaissance or credential theft. Deception technology easily deploys decoys, bait, and lures that appear identical to production assets, making an attacker’s mission exponentially more difficult. The right deception solution can change the asymmetry of an attack, knocking attackers off their game, causing them to make mistakes and reveal their presence. What’s more, deception methods can garner enough forensic evidence to respond and eradicate the threat, quickly and accurately.
To not fall prey to today’s sophisticated attackers, organizations need to embrace more active defense measures like deception technology. By using innovation, one can quickly reveal threats across an ever-changing attack surface, reduce the time an attacker has to attack, and ultimately avoid becoming victim to a breach. We look to Gnomon to yield fresh insights that can provide a concrete examples of how organizations can benefit and implement a stronger and more active cyber defense posture in the future.