As cyberattacks become more sophisticated, advanced threat detection continues to play a critical role in safeguarding enterprise environments, particularly against long-standing threats with extended dwell times.
Google Cloud’s Nick Richard and Mandiant’s Kirstie Failey talk with theCUBE about the impact long-dwell cyberattacks can have on organizations.
Despite technological advances, some threats manage to evade detection for prolonged periods. Cybersecurity teams face the challenge of not only detecting immediate threats, but also uncovering those that remain hidden, which can cause significant and potentially devastating damage. The complexities of long-dwell threats require modern detection tools and advanced threat detection strategies to uncover these threats before they lead to further harm.
“Dual time over the years has consistently gone down, but there’s always this weird spike between six months and five-plus years of a significant amount of data in our data set to cause a blip, said Kirstie Failey (pictured, right), principal threat analyst at Mandiant Inc., part of Google Cloud. We really wanted to look at what is causing that because it’s really great … [that] it’s getting better, but what are we doing to curtail the longstanding stuff?”
Failey and Nick Richard (pictured, left), senior manager at Mandiant Inc. Advanced Practices at Google Cloud, spoke with theCUBE Research’s John Furrier and Savannah Peterson at mWISE 2024, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the motivations and tactics behind attacks with various dwell times and the impact these attacks can have on organizations. (* Disclosure below.)
Using advanced threat detection to track long-dwell threats
With the aid of modern detection tools, cybersecurity teams can more effectively identify real-time threats. However, long-dwell threats pose a more intricate challenge. These are the threats that remain dormant or go unnoticed in a network for extended periods, often due to advanced evasion tactics used by threat actors, according to Failey.
“If you think about financial actors like FIN7 or FIN6, historically, their whole gig was about going in and staying in the environment to capture all of this data,” she said. “They’re in there for a really long time. They don’t want to be seen; they don’t want to be heard, [and] they don’t want to be noticed.”
In the ransomware space and cybercrime, the goal is to get paid quickly, demonstrating that “the criminal ecosystem is really changing it up,” Failey added.
Continuous monitoring and data analysis are the most effective ways to identify these persistent threats. By gathering intelligence from multiple sources and correlating indicators of compromise, cybersecurity teams can narrow down their investigations to specific threat actors, significantly improving response times, according to Richard.
“We provide analytical context and attribution to frontline intel,” he said. “Our data allows us to quickly narrow down which threat group is responsible, providing investigators with the necessary details to dig deeper and stop the threat.”
Working with other security-related teams within Mandiant enables a continually enriched lifecycle with new information shared and used across Mandiant and Google teams, Richard added.
Despite advancements in detection technologies, the complexity of modern cyberattacks means that some threats still evade detection, according to Failey. Attackers continually refine their techniques, exploiting vulnerabilities that are difficult to patch and can lead to extended dwell times if not addressed promptly.
“They have gotten really savvy and started to evade detection in a lot of ways,” Failey said. “What we have to look at … ‘Is your time to patch for your internal environment the same? And can you be faster than the time to patch for the vendor that has put out a patch?’ Because if your time to patch is not in the same window, then perhaps you’re going to fall into that long-tailed dwell-time period. When you’re thinking of vulnerabilities, think about it a little bit that way.”
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE Research’s coverage of mWISE 2024:
(* Disclosure: Google Cloud Security sponsored this segment of theCUBE. Neither Google Cloud Security nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)