Decreasing Dwell Time - How Long Intruders Go Undetected

The evaluation of technical threat intelligence data is a nascent art. When evaluating Indicator sources many focus on counting the number of indicators the source has. The next step in evaluating indicator sources is usually based upon the number of True Positive alerts generated by the IoCs compared to the False Positive alerts. This is a good method of determining how much time your analysts will be spent evaluating useful alerts versus chasing non-useful alerts.<pre> <img alt="" src="https://cdn.filestackcontent.com/cq0Nr7dQCKN6vyaD07ob" style="width: 943px; height: 176px;"/> Figure 1: IoC Age Bullet Chart </pre>A very useful statistic to use in evaluating the effectiveness of your detection and protection efforts is Dwell time. Dwell time is the amount of time adversaries have maintained access to your assets, whether that is infrastructure or data. Dwell time is typically measured as the time when the adversary activity first began, until the time of acknowledged detection. As you introduce new detection and protection initiatives, if they are useful you should see a decrease in dwell time.Assuming a goal of decreasing Dwell time, we can evaluate technical threat intelligence by it’s freshness. That is, orienting efforts towards the freshest and youngest IoCs should lead to a decrease in Dwell time. With that in mind we’ve recently been measuring our internal threat research efforts based upon the age of the IoCs collected. For network indicators this age is based upon the date a Domain name was created versus the date the Domain name was ingested (removing DynamicDNS domains).Comparing the domain age for OSint, Malware Indicators, and Indicator Expansion (Actors Reg.) with Dwell time results in the bullet graph in figure 1 above. Figure 2 below is an annotated version of that graph.<pre> <img alt="" src="https://cdn.filestackcontent.com/r9tb5ikSdmfpSAq60cVL" style="width: 1299px; height: 519px;"/> Figure 2: Annotated IoC Age Bullet Chart </pre>The chart (based upon code found <a href="https://bl.ocks.org/mbostock/4061961">here</a>) uses the dwell times from FireEye’s <a href="https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html">M-Trends 2016</a> report. In practice an organization could replace the M-Trends Median Dwell time with their own measured Median Dwell time.In order to decrease dwell time, our real goal is to orient efforts towards technical threat intelligence that is “younger” than our dwell time. Based upon our measurements, collecting open source intelligence results in a median IoC Age of ~160 days, as displayed in the OSint bar in the figures above.If we focus efforts on collecting IoCs from malware via a combination of runtime data and malware config dumping, we can end up with a IoC age of 79 days. This age is largely an artifact of collecting the malware. In order to extract this data from malware, it first has to be created by the malicious actor, delivered to the target, and finally collected by the analysts. This category of technical threat intel can be viewed in the 2nd bar labeled Malware Ind. in the charts above.Finally indicator expansion methods of discovering indicators actually result in the freshest indicators, with a median age of 2 days. Indicator Expansion refers to the method of taking a known malicious indicator, then determining the combination of useful pivot points such as nameservers used, registrant email addresses, or other information that can be used to find other malicious indicators. The simplest form typically presents as multiple domains sharing a simple IP address. Relying upon shared IP address mappings also results in the most false positives because of the large amount of shared hosting infrastructure on the Internet. Indicator Expansion approaches are displayed in the 3rd bar, labeled Actors Reg. in the charts above.For other measures of age, statistics can be derived based upon comparisons to:<ul><li>PE Build date</li><li>VirusTotal first submission date</li><li>First known date for a malware family</li></ul>There are still some outliers here. A small amount of malicious actors are watching for recently retired domain registrations, then re-registering old domains. This activity allows them to sidestep detections based upon newly observed domains. It also creates a bias in our data measurement.In summary, if our goal is to derive the freshest indicators, Indicator Expansion methods can produce indicators that are 2 days old. Malware based methods of indicator discovery vary based upon efforts, but take a bit longer due to the malware collection efforts. Finally OSint indicators result in Indicators of the oldest age.