Decoded: Threat lifecycle management

An introduction to threat lifecycle management and the stages of a cyber attack.
Our first jargon-free Decoded article explains how faster detection and response capabilities can help manage the impact of threats.

By Aled Herbert

Thu 20 Apr 2017 @ 16:01

I’ve been hearing a lot about threat lifecycle management recently. What’s the story?

Put simply, threat lifecycle management (TLM) is a set of aligned security operations and processes that cover the end-to-end management of network defence. It begins with the ability to ‘see’ broadly across the IT environment and culminates with the ability to quickly mitigate and recover from a security incident.

TLM accepts that intruders will get in, that no perimeter defence is impregnable, and that organisations need the tools and capabilities to be able to detect and respond to threats inside the IT estate.

How did this approach evolve?

Let's take a step back and look how the threat environment has evolved. Threat actors have spread from lone attackers, to criminal organisations, ideological groups and even nation states with a wide number of motivations for attacking organisations.

With so many attackers using an increasingly broad range of creative and sophisticated attacks the chances of a breach occurring are growing steadily. A recent CyberEdge report indicates that 79 per cent of networks were breached in 2016, up from 76 per cent from 2015 and up from 62 per cent just three years ago.

In addition, the cost of a successful attack is rising, with each breached company facing a bill of $7.7m according to a recent Ponemon Institute report, which claims that data breaches are now a "consistent cost of doing business in the cybercrime era".

In light of this, the pragmatic security team accepts that while perimeter defences remain important, it is essential to invest in TLM technologies that let organisations detect and respond to threats that get in. In fact, Gartner recently stated that detection and response is the top security priority for organisations in 2017.

What does the lifecycle of a cyber-attack look like?

There are a number of stages in the typical security attack/breach:

  • Reconnaissance: this initial stage is where the attacker identifies potential targets, assesses their security capabilities and weighs up the most appropriate attack method.
  • Initial compromise: the initial breach might be an externally-facing server or a compromised endpoint or user account. But recent non-traditional systems, such as point-of-sale or consumer devices, could also be targeted to gain a foothold.
  • Command and control: Once in, the attacker will typically strengthen their position, downloading malware to establish persistent, long-term access while the next move is planned.
  • Lateral movement: the attacker has now a persistent connection and looks for additional user accounts to compromise, ideally with greater system privileges. The breach is often hard to spot as valid user credentials are being used.
  • Target attainment: At this point the attacker may have compromised hundreds of accounts, have a clear understanding of the IT environment and be adjacent to their real target.
  • Exfiltration, corruption and disruption: at this point the attacker executes the end goal. This could be theft of intellectual property or data, damage to systems or disruption to business operations.

So once a breach has occurred, it could be some time before the end goal is actually reached?

Exactly, this is why the ability to detect and respond to a breach is critical.

Before a threat can be detected you need evidence. Let's look at some of the stages of threat lifecycle management.

  • Forensic data collection: TLM draws on a rich range of data to help identify threats. Principal among these are security event and alarm data, log and machine data and forensic sensor data.
  • Discovery: potential threats are uncovered through a blend of search analytics and machine analytics, using a human insight and software in tandem.
  • Qualify: Once a threat is discovered it needs to be quickly qualified to assess the potential impact to the business and the urgency of response efforts
  • Investigate: once qualified, threats need to be fully investigated to determine whether a security incident has occurred or is in progress.
  • Neutralise: Once the nature of the threat is understood security teams can implement mitigations to reduce and eventually eliminate risk to the business. Effective incident response processes coupled with automation are essential.
  • Recover: Once the breach is neutralised and the risk to the business is under control, full recovery efforts can begin

These actions cover the detection of breaches. Once found and qualified the next stage of TLM is response:

Got it, so threat lifecycle management is about accepting that breaches will happen but making sure the tools and processes are in place to mitigate/neutralise them?

Precisely. Although internal and external threats exist, the key to managing their impact within an environment and reducing the likelihood of costly consequences is through faster detection and response capabilities.

This results in stronger and more holistic security and greater assurance that the inevitable breaches can be contained and damaging costs reduced – both financial and reputational.