Time based Security - Relevance

One of the fundamental principles of security is to understand the criticality of the asset to be safeguarded, its threat environment, and the risk appetite of the enterprise. Based on which security strategy to protect and defend to be planned, this approach is the same for both physical and cybersecurity.

The traditional fortress was built with multiple security controls like internal/external high walls, moats, guards, watchtowers based on the criticality of the asset protected and the threat environment. Assumption while designing each of this control was not that none of these controls will ever be breached, but layers were built to provide resistance and delay the adversarial advances, so the handlers could respond and bring in required defensive and offensive capacity when needed.

The architectural concept of layered security or defense in depth is adoption from the traditional fortress model. In each of the layers starting from the perimeter, both detection and prevention control enforced. One of the key considerations in this security architecture program design is Time based security approach, it is the time required to get an indicator of an attack – time to analyze – time to respond – time to mitigate – time to normalcy.

As an example, consider 2 scenarios, with the assumption

• An enterprise security team works only 1 shift from 8 AM to 5 PM
• All logs available and correlated and excellent security team engaged

Scenario – 1

• PT team announces a PT activity on enterprise AD at 3 PM, triggered from a specific disclosed IP address
• So, in the best-case scenario, the internal security team detects this attack events on AD by around 3.xx PM, respond to the activity in the next few minutes and incident closed by 3.30 PM (approximately)

Scenario – 2

• Unannounced intrusion activity by Red team against a critical server at 5.15 PM 
• So, the best-case scenario, since security shifts end at 5 PM and resume only at 8 AM next morning, these events will be detected only by around 8.30 AM and incident closed by about 9 AM or later based on maturity.

Considering the above scenarios, the time-based capability of the enterprise to detect and respond to an attack is potentially between 30 Minutes to 15 hours (during holidays and weekends lag could be in days). A lag of 15 hours to detect the event may not be accepted as per enterprise risk appetite

To improve enterprise response capability (based on risk appetite), options are to extend the security shift hours, or/and enforce stringent security controls and practices to avoid such attacks. 

It is important to periodically measure these capabilities to be relevant, complied, effective and resilient, Time based security is relevant and critical in this

The formula for Time based security is

P(t) > D(t) + R(t)

• P = time the adversary takes to break controls. 
• D = Time required to detect the attack
• R = Time to respond to and mitigate the attack.

Like defender, the attacker also uses a time-based security approach from the planning stage. An example in the physical world, the robber may be calculating the time available from the point alarm triggers or the events generated to the time defender or law enforcement reaches the site or responds. It the time between those 2 events is the time available for the attacker to execute the plan.

Attackers have improved their time considerably over the years leveraging automation, big data, social engineering techniques, zero-day exploits, collaboration with similar groups etc. Defenders need to improve their time to detect and respond, to stay relevant and effective.

The time required to detect the attack ‘D’

Time and capability to detect an (any) attack is a very critical factor, ideally need to start with the data sources and event of interest getting collected and correlated to understand the potential strike, coverage of control enforcement, skill set availability, and process in place to respond. 

Many of the security controls enforced may be only a detection mechanism and not fully configured to be preventive. An example is of, IPS which may not have all signatures in block mode, it may be set only to alert. The expectation is that the responder will see this alert in a reasonable time, knows how to respond and whom to escalate if required.

Time to respond to and mitigate attack ‘R’

Based on maturity and priority defined in the enterprise security program, feasibility, and capability to respond to varied scenarios of attack to be evaluated periodically. Ideally, it should be reviewed against each of the potential attack use cases based on the kill chain model.

A SWOT analysis helps to understand the strength and weaknesses of attackers and defenders in each of the use cases. There are phases were attackers need too long period to complete the attack lifecycle, an example is data extrusion attempts or on lateral movements.

If time to detection and to respond is long, may have to enforce defense protection by default, an example is on unauthorized access, AD configuration is, post 3 or 5 failed login attempt, rule configured to lockout at AD account till manual intervention is available or for a specific period of time.

Response maturity also depends on the authority responder has on each of the use-cases, defined process, escalation support, RACI model etc

Maturity and capability to be measured on the final outcome to achieve the objective to contain the incident and return to normalcy without damage, and not on the type or extent of control in place. Just adding controls without having an effective process and skillset to validate and respond is useless. 

In the formula P(t) > D(t) + R(t), potential exposures, vulnerabilities, skill gaps, blind spots, misconfigurations should be discounted while measuring maturity and capability.

Also, to review the potential impact of the incident based on the delayed response to be considered for prioritizing the model.

 Considerations on attacks triggered with social engineering, zero-day, insider errors/omissions/oversights to be taken while defining use-cases

Time-based security should be a key consideration in all stages of security architecture and operation model. 

Let us work together to have secured trustworthy cyberspace.

Acknowledge the thought leadership of Winn Schwartau, Richard Bejtlich and others in this domain