Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

How to Improve Mean Time to Detect for Ransomware

Training for multiple situations will help your security team make decisions more quickly

Training for multiple situations will help your security team make decisions more quickly

Moving at digital speed means both good things and bad. Work gets done quickly and efficiently, but when bad guys attack, they too, move at digital speed. That’s why threat detection and incident response have to be nimble and quick. But how are we to know if that is the case? 

Mean time to detect (MTTD), or mean time to detect, is one of the key performance indicators (KPIs) used to measure what information security professionals are trying to do. MTTD measures elapsed time from intrusion to detection, or how long a problem—a vulnerability, an intrusion or some form of malicious activity—is present in the network before the relevant parties in the organization become aware. 

MTTD, sometimes called mean time to identify (MTTI), can be worked out simply by dividing the total of incident response times attributed to a technician, security team or time period by the number of incidents. It is a simple calculation, if the organization has sufficient, accurate data on incidents. 

Challenges to improving MTTD

The ability to bring down MTTD can be limited by a number of factors: 

 Lack of transferable knowledge: The Web is full of commodity malware that bad guys can buy off the shelf and send out as-is, or with minimal tweaking. Knowing how it behaves and some of its indicators can be helpful to security, but not starting with a foundation of knowledge that defenders can then apply to similar situations will slow detection. 

● Lack of experience: Experience in dealing with these incidents is what gives security people the confidence and ability to shorten response times. Once they have dealt with incidents, they will know what to do to apply their learned knowledge. For example, one organization we are familiar with was attacked several times by the same strain of ransomware. The first time, it took upwards of 30 hours to deal with the incident. The second time the malware hit, they were able to use their experience to trim the response to about eight hours—still a whole shift. The third time, it took 15 minutes. 

● Lack of process: It doesn’t need to be one analyst working alone against the bad guys. Working as a team brings down MTTD, but teams need a process to follow, and to be comfortable enough with it to work together and resolve incidents. When the team members have had practice working together, they’ll know what to do, who they can count in the team and how to make the handoffs from investigation to mitigation. The work needs to validate their process. 

Best practices for improving MTTD 

The job of security won’t be as tough if teams have the practice and feel a sense of accomplishment as they go through their activities. This creates a ripple effect across the organization as disruptions are reduced. All of a sudden security and IT are not blamed for these disruptions, because as they shorten the response times, those disruptions and outages become less noticeable to the organization. 

Here are a few principles can help bring down those MTTDs: 

● Practice: Don’t wait for a real incident to test your team or to put things into practice, start preparing using live simulations now. You wouldn’t take someone who’s never played football and say: “All right, you’re now the running back. I know you’ve never carried a ball, but we’re putting this all on your shoulders.” Simulations give defenders the exposure and prepares them for incidents. They build a  chain reaction where, if they’re prepared for how things happen in a controlled simulation, they can anticipate how it might happen outside that controlled environment.

● Live in the real world: Understand that the threat landscape changes.  It’s a moving target and we have to be able to think abstractly, to where threats will evolve. That’s where transferable knowledge is important, because something acting up in your environment may be what helps you detect some new threat. Use individual and team exercises to keep up with evolving threat landscape and attack techniques and tactics.

● Invest in training: Make sure staff is trained, knowledgeable and comfortable using the security tools at their disposal. Technology changes and improves, so it’s important to have security staff practicing with and understanding the tools that they’re using. You could have budget for some of the latest and greatest tool sets that are out there, but if your people don’t know how to use them in the context of their job, you won’t get the full benefit from them. 

Nothing can ever prepare an organization for every possible ransomware scenario. However, if you train for multiple situations, your team will be able to make decisions more quickly, and react appropriately when an unforeseen incident occurs. All of which will reduce MTTD.

Written By

Jeff Orloff is Vice President of Products and Technical Services at RangeForce, a cybersecurity training company. He has over ten years of experience in cybersecurity, computer and network security and system administration. Prior to RangeForce, he was Director of Product Management and UX at COFENSE, a company specializing in email security, phishing detection and response. He also served as Technology Coordinator for the Palm Beach County Florida School District.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.