VI Reflections: Outpacing Attackers with the Help of AI
By grigby1
Attacker dwell time is the time between when a cyberattacker compromises a system and when they are detected. This metric is crucial in the field of cybersecurity, as the longer an attacker remains undetected, the greater the extent of their potential damage. Dwell time may encompass the attacker's navigation throughout a network, escalation of privileges, and exfiltration of data, potentially leading to additional attacks. Attackers are becoming more sophisticated, increasingly carrying out malicious activities sooner than security teams can detect and respond to them. This emphasizes the importance of developing and implementing faster and more effective detection and response solutions. The use of Artificial Intelligence (AI) in such solutions can significantly increase effectiveness.
Sophos' "2023 Active Adversary Report for Tech Leaders," looked at Sophos Incident Response (IR) cases from January to July 2023, finding that the median attacker dwell time decreased from 10 to eight days for all attacks. In 2022, the median dwell time fell from 15 to 10 days. Ransomware, the most common type of attack in the IR cases analyzed, making up for 69 percent of the investigated cases, fell to a median dwell time of only five days in 2023 from nine days in 2022. The M-Trends 2024 report from Mandiant, based on Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023 and December 31, 2023, also revealed a significant decrease in the global median attacker dwell time to 10 days from 16 days in 2022.
However, even though the dwell time of cyberattacks have fallen, attackers are moving faster to make the most of shorter time windows. Sophos discovered that attackers took, on average, less than a day or about 16 hours to gain access to Active Directory (AD) systems, one of a company's most critical assets. An attacker can easily escalate their privileges on a system, allowing them to log in and perform a wide range of malicious activities, by accessing AD systems that manage identity and access to resources across an organization.
AI has the potential to facilitate the advancement of Security Operations Center (SOC) teams in their ability to outpace adversaries. It is important to decrease detection times for faster response, which translates to a shorter operating window for attackers. AI helps reduce the time between detecting a threat and initiating a response through the automation of related processes. This technology facilitates response by quickly analyzing attacks, suggesting remediation measures, and automating responses. For example, AI could enhance the detection of phishing and malware by employing Machine Learning (ML) algorithms capable of analyzing the content of emails, the behavior of users, and software activities to identify and prevent threats.
To see previous articles, please visit the VI Reflections Archive.