The Threat Lifecycle Management framework

Mazen Dohaji, regional director for the Middle East, Turkey and Africa at LogRhythm talks about how to prevent data breaches by reducing time to detect and respond to threats.

Tags: LogRhythm ( Arab Emirates
  • E-Mail
The Threat Lifecycle Management framework Many of today’s advanced and motivated threat actors are circumventing traditional defences with targeted and persistent attacks, says Dohaji.
By  Mazen Dohaji Published  August 16, 2017

Globally, sophisticated cyber-attacks are compromising organisations at an unprecedented rate and with devastating consequences. Modern attackers, including criminal organisations, ideological groups, nation states and other advanced threat actors are motivated by a wide range of objectives that include financial gain, industrial espionage, cyber-warfare, and terrorism. These attacks are often very expensive for compromised organisations, costing each company an average of USD $7.7 million.

The odds that your organisation will be compromised are high. In fact, a recent report indicates that 76% of surveyed organisations were compromised in 2016. It is against this backdrop that organisations increasingly, expect that it’s not if they will be compromised, but rather when will they be compromised.

A new approach is required

The traditional approach to cybersecurity has been to use a prevention-centric strategy focused on blocking attacks. While prevention-centric approaches do stop many threats, many of today’s advanced and motivated threat actors are circumventing these defences with creative, stealthy, targeted, and persistent attacks that often go undetected for significant periods of time.

In response to the shortcomings of prevention-centric security strategies and the challenges of securing an increasingly complex and open IT environment, many organisations are progressively shifting their resources and focusing towards strategies centred on threat detection and response. Analyst Gartner estimates that by 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 20% in 2015. Security teams that are able to reduce their mean time to detect (MTTD) and mean time to respond (MTTR) can materially decrease their risk of experiencing a high-impact cyber incident or data breach.

Unfortunately, the growing complexity of IT and an increasingly hostile threat landscape has made it challenging to realise reductions in MTTD and MTTR. Most organisations are struggling to keep up with the volume of security alerts—many of them false positives or of low quality. These challenges are evidenced when looking at recent data breaches. Too often, the time it took for the affected organisation to discover and respond to the data breach was measured in months, and in some cases years.

The cyber-attack lifecycle

Fortunately, high-impact cyber incidents and data breaches can be largely avoided if you detect and respond quickly with end-to-end threat management processes. The modern approach to cybersecurity requires a focus on reducing MTTD and MTTR where threats are detected and killed early in their lifecycle, thereby avoiding downstream consequences and costs. The following steps illustrate the Cyber Attack Lifecycle and the typical steps involved in a data breach.


The first stage in reconnaissance is identifying potential targets (companies or individuals) that satisfy the mission of the attackers (e.g. financial gain, targeted access to sensitive information, brand damage, etc.). Once the target or targets are identified, the attackers determine their best mode of entry.  They determine what defences you have in place and choose their initial weapon based on what they discover during their reconnaissance, whether it is a zero-day exploit, a spear-phishing email campaign, physical compromise, bribing an employee, or some other means.

Initial compromise

The initial compromise is usually in the form of hackers bypassing your perimeter defences and, in one way or another, gaining access to your internal network through a compromised system or user account. Compromised systems might include your externally facing servers or end-user devices, such as laptops or desktops. Recent breaches have also included systems that were never traditionally considered as intrusion entry points, such as point-of-sale (POS) devices, medical devices, personal consumer devices, networked printers, and even IoT devices.

Command and control

The compromised device is used as a beachhead into your organisation. Typically, this involves the attacker surreptitiously downloading and installing a remote-access Trojan (RAT) so they can establish persistent, long-term, remote access to your environment. Once the RAT is in place, they can carefully plan and execute their next move using covert connections from attacker-controlled systems on the internet.

Lateral movement

Once the attacker has an established (persistent) connection to your internal network, they seek to compromise additional systems and user accounts. First, they take over the user account on the compromised system. This account helps them scan, discover, and compromise additional systems from which additional user accounts can be stolen. Because the attacker is often impersonating an authorised user, evidence of their existence can be hard to see.

Target attainment

At this stage in the lifecycle, the attacker typically has multiple remote access entry points and may have compromised hundreds (or even thousands) of your internal systems and user accounts. They have mapped out and deeply understand the aspects of your IT environment of highest interest to them. Ultimately, they are within reach of their target(s), and they are comfortable that they can complete their ultimate mission at the time of their choosing.

Exfiltration, corruption, and disruption

The final stage of the Cyber Attack Lifecycle is where cost to your business rises exponentially if the attack is not defeated. This is the stage where the attacker executes the final aspects of their mission, stealing intellectual property or other sensitive data, corrupting mission-critical systems, and generally disrupting the operations of your business. In the event of data theft, data is often transmitted via covert network communications across days, weeks, or even months. Attackers will also hide activity by using seemingly legitimate cloud-storage applications such as Dropbox and Google Drive to steal data.

The ability to detect and respond to the threat early in the Cyber Attack Lifecycle is the key to protecting your company from large-scale impact. The earlier an attack is detected and mitigated, the less the ultimate cost to the business will be. If a compromised endpoint is quickly removed from the environment, the cost of cleaning up additional compromised systems due to successful lateral movement is avoided.

That's why, LogRhythm delivers Threat Lifecycle Management by bringing together historically disparate security solutions into one unified platform. The LogRhythm Security Intelligence and Analytics Platform gives the security operations centre (SOC) a “single pane of glass” from which to evaluate alarms, investigate threats, and respond to incidents. LogRhythm’s security analytics capabilities automate the detection and prioritisation of real threats. In addition, our platform provides mechanisms to orchestrate and automate the incident response workflow.

You can lessen your organisation’s risk of experiencing a damaging cyber incident or data breach by investing in effective Threat Lifecycle Management. Although internal and external threats will exist, the key to managing their impact within your environment and reducing the likelihood of costly consequences is through faster detection and response capabilities.

We firmly believe at LogRhythm that TLM is optimally delivered via a collection of seamlessly integrated capabilities, which elegantly fuse technology, people and process through automation and an incredible user experience.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code