Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:29 PM
Larry Seltzer
Larry Seltzer
Connect Directly

You've Been Hacked, But For How Long?

One of the big themes at the recent RSA Conference was awareness of threats already inside the network. The way you learn about these threats and lower your ‘Mean Time To Know’ (MTTW) about an intrusion is with profile-based network monitoring

I first heard the term MTTK for "Mean Time To Know" at the recent RSA Conference. In fact, I heard it a few times, and it struck me as one of the few larger themes of a show that always has lot of different things going on.

But there had been big news in the weeks before about hacks of newspapers, the hacks being attributed to China. One of the interesting parts of the news was that some of the organizations had been compromised for many months and didn't know.

This is what MTTK refers to: How long is it from when you are compromised to when you find out about it? Part of the message is to admit that you will be compromised. No perimeter or endpoint defense is impenetrable. All good security planning involves layers of security, and one angle on this is to plan on detecting intrusions after hackers have gotten in. A low MTTK is good. One of the intrusions attributed to the Chinese People's Liberation Army Unit 61398 was in place for four years and 10 months. That's a big MTTK.

How do you detect intrusions after they've already passed your anti-intrusion measures? The answer is network monitoring, which is why I heard the term from network monitoring companies like Lancope, with its StealthWatch system, and Fluke, with Visual TruView. Solera DeepSee also takes this approach.

The idea is that APTs resident in your network do things that should be identifiable as suspicious, like opening SSL sessions on nonstandard ports. Some of these products will automatically create profiles of network traffic in order to identify what is normal. Then when something out of the ordinary happens, it's time to alert the administrators.

Obviously the systems have become more sophisticated over the years, especially the analytics, but the basic idea of MTTK isn't new. Here's an 8-year-old Cisco presentation on Netflow. It asks, "What is an anomaly?" The answer:

  • An event or condition in the network that is identified as a statistical abnormality when compared to typical traffic patterns gleaned from previously collected profiles and baselines.
  • NetFlow allows the user to identify anomalies by producing detailed accounting of traffic flows.
Sounds the same to me.

Of course, the idea back in 2005 with NetFlow was to look at traffic at the perimeter, not traffic inside of your network. That's what's relatively new in MTTK: an acknowledgement of the need for internal network intelligence. No longer can you just look at border crossings; you have to be vigilant even on trusted internal paths. You won't find what you don't look for.

It's a shame that this has become one more thing companies must do to provide reasonable protection to their networks. It's an added cost -- one that takes the courage to admit that they have to plan for the failure of their other security investments. But better to make this investment than to explain how you overlooked a hostile intrusion on your network for four years and 10 months.

Larry Seltzer is the editorial director for BYTE, Dark Reading, and Network Computing. Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+: - @lseltzer @BYTE - Larry Seltzer BYTE - Larry Seltzer on LinkedIn BYTE - Larry Seltzer on Google+ View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.