Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:29 PM
Larry Seltzer
Larry Seltzer
Connect Directly

You've Been Hacked, But For How Long?

One of the big themes at the recent RSA Conference was awareness of threats already inside the network. The way you learn about these threats and lower your ‘Mean Time To Know’ (MTTW) about an intrusion is with profile-based network monitoring

I first heard the term MTTK for "Mean Time To Know" at the recent RSA Conference. In fact, I heard it a few times, and it struck me as one of the few larger themes of a show that always has lot of different things going on.

But there had been big news in the weeks before about hacks of newspapers, the hacks being attributed to China. One of the interesting parts of the news was that some of the organizations had been compromised for many months and didn't know.

This is what MTTK refers to: How long is it from when you are compromised to when you find out about it? Part of the message is to admit that you will be compromised. No perimeter or endpoint defense is impenetrable. All good security planning involves layers of security, and one angle on this is to plan on detecting intrusions after hackers have gotten in. A low MTTK is good. One of the intrusions attributed to the Chinese People's Liberation Army Unit 61398 was in place for four years and 10 months. That's a big MTTK.

How do you detect intrusions after they've already passed your anti-intrusion measures? The answer is network monitoring, which is why I heard the term from network monitoring companies like Lancope, with its StealthWatch system, and Fluke, with Visual TruView. Solera DeepSee also takes this approach.

The idea is that APTs resident in your network do things that should be identifiable as suspicious, like opening SSL sessions on nonstandard ports. Some of these products will automatically create profiles of network traffic in order to identify what is normal. Then when something out of the ordinary happens, it's time to alert the administrators.

Obviously the systems have become more sophisticated over the years, especially the analytics, but the basic idea of MTTK isn't new. Here's an 8-year-old Cisco presentation on Netflow. It asks, "What is an anomaly?" The answer:

  • An event or condition in the network that is identified as a statistical abnormality when compared to typical traffic patterns gleaned from previously collected profiles and baselines.
  • NetFlow allows the user to identify anomalies by producing detailed accounting of traffic flows.
Sounds the same to me.

Of course, the idea back in 2005 with NetFlow was to look at traffic at the perimeter, not traffic inside of your network. That's what's relatively new in MTTK: an acknowledgement of the need for internal network intelligence. No longer can you just look at border crossings; you have to be vigilant even on trusted internal paths. You won't find what you don't look for.

It's a shame that this has become one more thing companies must do to provide reasonable protection to their networks. It's an added cost -- one that takes the courage to admit that they have to plan for the failure of their other security investments. But better to make this investment than to explain how you overlooked a hostile intrusion on your network for four years and 10 months.

Larry Seltzer is the editorial director for BYTE, Dark Reading, and Network Computing. Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+: - @lseltzer @BYTE - Larry Seltzer BYTE - Larry Seltzer on LinkedIn BYTE - Larry Seltzer on Google+ View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.