Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:01
hello and welcome to the application of the minor attack framework discussion. Today, we're going to be looking at a case study for the persistence phase of the framework. So let's go ahead and jump right in. So the topic of the case study is really dwell time and threat removal. So when we talk about persistence, we're talking about
00:21
a threat actor trying to cement themselves into the network or into a system
00:27
and so dwell time is huge here because the average for that is well over six plus months of time. I think I've seen numbers as high as 300 days and some change,
00:38
and so the well time is something that we want to take seriously. And then, in order to get that dwell, time to go away to remove the threat actor. Of course, there's threat removal,
00:47
so let's look at some numbers. Statistics and things of that nature are always good, So the average containment time in 2017 was five days, so the time it took to contain
01:00
a bad guy does A bang guy was five days
01:04
and this containment time was applicable. Onley after detection, which on average was 66 days. So it took a 66 days to find the Threat actor to detect the activity that was malicious and nature. And then it took another five days to get that done.
01:23
Now average time it takes for hackers to get in
01:26
four hours and 37 minutes, depending on the nation state, it could be much faster. I think Russia is like sub 15 minutes or something like that. So remember, depending on the capabilities and tools that the threat actress disposal will determine that. But on average, if you average out everything, it's four hours and some change.
01:47
A realistic minimum goal is to stop a breach within
01:51
8 to 12 hours. Organizations such as Crowdstrike advocate a full investigation within 10 minutes and complete removal of the Threat actor in 60 minutes. But I believe in some of these cases it is specific to their tool sets. Now, for those of us that are maybe not using vendor specific tools,
02:09
8 to 12 hours is not a bad goal for us to try and detect something, and then from that 120.8 to 12 hours get it out of the network.
02:20
But that means that There are a number of things that we have to consider in this process. And so what should we be looking at? What should we be considering? Well, first off, what capabilities would an organization need to implement to at least meet the minimum 8 to 12 hour cyber response plan? Tom?
02:39
Okay, so that's something that you want to do. Thinking about your organization.
02:45
If you were compromised today and you detected it now,
02:49
would you have the capability to know what system that happened on? Know what the threat actor was doing? Know what they had touched and removed that threat
02:59
in their 8 to 12 hour time.
03:01
Now, once the plan is written for the minimum time, how does an organization then move either in increments or all it wants to get a 60 minute removal time like Crowdstrike is talking about?
03:14
Right. So the first thing we're doing here, how do we get to the minimum? How do we meet that low bar?
03:20
All right. And from there, how do we get to do what this organization is indicating this peak performance? 60 minutes removal time? It sounds like there's some tools and, you know, for pay services there that we have to take advantage of to get that done. Now, do either of these metrics have feasibility based on your organization's cost benefit analysis?
03:40
Again, if you're a flower shop,
03:43
okay, you're 8 to 12 hour response. Praying time, maybe wiping in reloading a system. But does that like women? Reloading of the system mean that you're down for a day. And does that downtime, you know, really replace the cost? Or is the cost higher than the downtown? And so, really,
04:03
you have to do some cost benefit analysis and understand if meeting these goals is worth more than the squeezes, the juice not worth the squeeze is far as a feasibility of these things is 60 minutes.
04:17
Really, where you need to be is an organization or can you live with 12 hours to get a threat? Actor out? Really, we want to try to get a threat actor out ASAP.
04:28
But then that's going to, you know, across this revenue that will have to put into tools that will have to put into research that will have to put into training or a partnership that costs money to get this response time met. Now imagine that you are a threat actor looking to steal high value information from the organization you work for.
04:46
What would you look to steal? And based on the mechanisms discussed up to this point, are any of them feasible?
04:55
Is faras being able to get to that data? Eso you know, anything that we've discussed, like hooking or account creation, stealing of the services, faras like creating a new service and doing things that nature,
05:09
what kind of threat actor do? What could you imagine that they could do to take advantage of your systems? And so take all of these things into account and into consideration and try to come up with a response plan. And what you would be able to do is an organization to
05:26
reduced well time and overall removed the threat from your network.
05:30
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor