Autonomous Detection & Response | How MDR Disrupts the Cyber Kill Chain
The only predictable thing about the cyber threat landscape is that you can always expect it to shift and move even faster than before. Just in the year passed, businesses across the world witnessed a surge in cyber attacks, advanced in both severity and variety. Let’s take a look at some threat-related statistics from the last 12 months:
- More than 3 in every 5 companies are targeted by software supply chain attacks
- In 93% of cases, threat actors can breach company network perimeters to access sensitive resources
- Business Email Compromise (BEC) attacks have cost companies over $43 billion since 2016
- In the first half of 2022, worldwide ransomware attacks totaled over $236 million
Reflecting on the current state of the threat landscape, it is clear that advanced persistent threats (APTs) and financially-motivated cyber criminals are seeing success. A key element to these modern threats is lateral movement or lateral spread – the movement of a threat actor within a compromised network. With this technique, actors are able to secure their foothold and start to move laterally through the remainder of a network to locate, steal, and encrypt sensitive assets and data for ransom.
Examining the Cyber Attack Lifecycle
Threat actors journey through a compromised environment using a defined process called the attack lifecycle, or kill chain. The cyber attack lifecycle is typically defined by the following phases:
- Reconnaissance/Planning – To kickstart the process, threat actors select their targets and perform as much research as they can including data about the target’s network infrastructure, users, and systems. By gathering this information, actors can better exploit their target and leverage any found vulnerabilities.
- Credential Dumping – After performing reconnaissance on their target, threat actors will focus on gaining initial entry into the environment. This is when actors will obtain legitimate credentials through fraudulent means and compromise as many hosts as possible.
- Enumeration – In this phase, threat actors have gained access and need to quickly figure out where they are in the environment, what access they have, and where they can start moving. This is when they will extract machine names, network resources, and more by performing directed queries.
- Lateral Movement Access – This is the most crucial part of the attack lifecycle from the threat actor’s standpoint. Once actors have what they need, they will begin to expand their foothold throughout the network using malicious tools to continuously upgrade their permissions, access critical data and systems, and distribute any malware and toolsets.
- Mission Completion – Post-deployment of any malware or toolsets, modern threat actors are increasingly exfiltrating sensitive data before encrypting them for better leverage over their victim.
The Challenge of Shorter Dwell Times
In a cyber attack campaign, “dwell time” refers to the length of time between an initial breach to the detection of a threat actor. Research shows that threat actors are becoming more efficient, making the overall average timeframe for an attack much shorter than in years before. Gone are the days of dwell time being weeks and months – the main challenge for businesses now is to detect the presence of cyber threats as fast as possible. Many threat campaigns, particularly ransomware campaigns, only last a few hours and actors are often already within a victim’s network, just waiting to deploy.
Unfortunately, security solutions such as traditional SIEMs (security information and event management platforms), next-generation anti-viruses, and anti-malware just aren’t efficient enough when it comes to detecting modern threat actors quickly. Up against shorter dwell times and advanced hacker tradecraft, fast and accurate detection matters most in a strong cybersecurity strategy.
Preventing Lateral Movement Through Autonomous Detection
So, how fast does detection need to happen before it’s too late? Referring back to the cyber attack timeline, the reconnaissance and credential dumping phases become the most critical period as threat actors have not yet moved deep into the compromised network through lateral movement. This is also before they have managed to blend in with normal network traffic or started to “live off the land”, which entails the use native tools and processes to expand their foothold.
It’s often the case that with enough time and resources, threat actors can successfully meet their goals. The main goal then is to prevent the threat actors before they can reach the lateral movement phase and do critical damage. With threat actors becoming increasingly sophisticated, the time between initial intrusion and lateral movement continues to get shorter, making that quick detection time even more important.
When attacks happen, the speed with which an organization is able to detect and respond determines if the threat actors can reach mission completion. This is why organizations rely on SentinelOne’s global Managed Detection and Response (MDR) service, Vigilance Respond. Utilizing SentinelOne’s patented autonomous detection EDR, Vigilance Respond defends networks against cyber attacks instantly and with a higher accuracy than any human team can provide. Vigilance monitors customer environments 24/7/365, hunting for advanced threats and providing faster mean time to response (MTTR) rates.
How Vigilance Respond Disrupts the Cyber Attack Kill Chain
Businesses globally trust Vigilance to provide machine-speed detection technology run by dedicated analysts. Working around-the-clock, Vigilance allows organizations to adapt instantly, and at scale, in today’s ever-shifting threat landscape, closing the gap between intrusion and lateral movement and neutralizing the threat actor before they can begin to spread deep into a target’s systems. Vigilance Respond offers these services to ensure businesses are safeguarded:
- Active threat campaign hunting for APTs
- Alerting and remediation guidance for emerging threats
- Incident-based triage and hunting
- 24/7/365 monitoring, triage, and response
- Security Assessment (Vigilance Respond Pro)
- Digital Forensics Investigation & Malware Analysis (Vigilance Respond Pro)
Today’s threat actors may be moving faster than ever, but that doesn’t mean businesses can’t get ahead of them. Machine-speed detection technology run by dedicated analysts ensures organizations are safeguarded before actors can start moving laterally within their environments to exfiltrate and encrypt sensitive data.