Mean Time to Detect (MTTD) in Ukraine's Cyber Defense: 2022-2024 Progress

Mean Time to Detect (MTTD) measures the average elapsed time between when an attacker first establishes a foothold in a network and when that compromise is detected by defenders. MTTD is one of the most consequential security performance metrics: shorter detection times limit the window during which attackers can move laterally, escalate privileges, exfiltrate data, and stage destructive actions. For Ukraine, facing persistent sophisticated attackers who pre-position malware months before activating it, reducing MTTD across government and critical infrastructure networks is a primary defensive objective.

Global MTTD Benchmarks and Ukraine's Starting Position

Global MTTD for sophisticated intrusions has historically ranged from 150-200 days in commercial organizations—meaning that on average, attackers spent five to seven months undetected before discovery. Ukrainian government organizations in early 2022 were at varying maturity levels, with more security-mature agencies having implemented security monitoring that reduced MTTD, while less mature agencies had limited detection visibility and MTTD potentially in months to years. The Sandworm attack on Ukrainian energy using INDUSTROYER2 malware (detected April 2022) was discovered before the destructive payload deployed—a significant MTTD improvement relative to the 2015/2016 attacks where impact occurred before detection.

MTTD Improvement Drivers 2022-2024

Several systematic programs have contributed to MTTD improvement across the Ukrainian government and critical infrastructure sectors. Expanded SIEM deployment—Microsoft Sentinel through the Azure Government agreement, Elastic SIEM at other agencies—increased log collection coverage from key systems, reducing the detection blind spots where attackers could operate undetected. Improved threat intelligence integration—connecting CERT-UA IOC feeds directly to SIEM detection rules—enabled automated alerting on indicators associated with known Russian threat actor techniques before analysts manually reviewed logs. Deployment of Endpoint Detection and Response (EDR) tools across government endpoints replaced signature-based antivirus with behavioral detection capable of identifying novel malware families.

MTTD Performance by Sector

Detection Tool Contribution Analysis

Different detection tools contribute to MTTD reduction in different ways. Network Detection and Response (NDR) tools monitoring east-west network traffic catch lateral movement and command-and-control beaconing that endpoint tools might miss. EDR tools on endpoints capture process executions, file modifications, and registry changes that indicate attacker activity at the endpoint level. SIEM correlation rules connect events across multiple systems to identify attack patterns not visible in any single source. Threat intelligence integration ensures that known-bad indicators are detected automatically rather than requiring analyst-initiated hunt activities.

Analysis of Ukrainian incident data suggests that integrated multi-tool detection significantly outperforms any single tool: incidents where both NDR and EDR coverage existed showed MTTD approximately 50% lower than incidents covered by only one tool type. This has driven investment in ensuring comprehensive tool type coverage in priority sectors rather than deepening investment in a single tool category.

The Pre-Positioning Detection Challenge

Russian threat actors targeting Ukrainian infrastructure have demonstrated a pattern of patient pre-positioning: establishing access months before planned activation, moving slowly through networks to avoid triggering rate-based detection, and timing destructive actions to coincide with kinetic operations or politically significant events. Detecting pre-positioned malware before it activates requires proactive threat hunting—analysts actively searching for indicators of attacker presence rather than waiting for automated alerts. Ukraine's investment in threat hunting capabilities augments automated detection specifically for catching low-activity pre-positioning that doesn't trigger alert thresholds.

MTTD in Wartime Operational Context

MTTD improvements must be evaluated in the context of increased attack volume. Ukraine faced tens of thousands of cyber incidents in 2022-2024, compared to hundreds per year in peacetime. Maintaining or improving MTTD while handling dramatically increased attack volume requires automation—analysts cannot manually review every alert when alert volumes have increased tenfold. The investment in SOAR automation and AI-assisted alert triage has been essential for ensuring that detection improvements are genuine rather than artifacts of analyst capacity constraints triaging away from complex detections.

FAQ

What is the difference between MTTD and dwell time?

Dwell time is the total time an attacker remains in a compromised network—from initial access through eventual eviction (either through detection and response or through their own departure). MTTD is the time from first access to first detection. A low MTTD that is not followed by effective containment could still result in long dwell time if response is slow. Both metrics matter: MTTD measures detection effectiveness while dwell time measures the combined effectiveness of detection and response.

What MTTD target is Ukraine trying to achieve?

Ukraine's stated objectives, reflected in SSSCIP public reporting, include achieving MTTD below 24 hours for the highest-priority critical infrastructure sectors and below 7 days for all centrally monitored government systems. Commercial benchmarks suggest median dwell times of around 16 days in mature commercial organizations, making sub-24-hour MTTD an aspirational but achievable target for the most mature Ukrainian sectors with comprehensive detection tooling.

How does CERT-UA contribute to sector-wide MTTD improvement?

CERT-UA distributes IOCs, YARA rules, Sigma detection rules, and threat intelligence updates that enable organizations across all sectors to benefit from indicators discovered in any single organization's incident. When CERT-UA investigators discover a new malware sample in one incident, they push detection tools to all monitored organizations—effectively allowing one organization's detection to become everyone's detection, compressing MTTD across the sector for subsequent uses of the same tooling.

What are the most common detection gaps that allow long MTTD?

The most common detection gaps are: insufficient log coverage (systems that generate relevant events but aren't connected to SIEM); alerting thresholds configured too high (many low-confidence behavioral alerts discarded to manage volume); lack of detection rules for specific techniques being used by current threat actors; and insufficient threat hunting capacity for proactive detection of low-activity pre-positioned adversaries who don't trigger automated rules.

Can AI/ML be used to improve MTTD?

AI and ML contribute to MTTD improvement primarily through: anomaly detection algorithms that identify statistically unusual behavior across large datasets faster than analyst review; automated alert triage that prioritizes the highest-confidence events for analyst review; and natural language processing for automated correlation of threat intelligence reports with observed indicators. Ukrainian security teams have deployed AI-assisted tools within SIEM and NDR platforms, contributing to MTTD improvements alongside expanded log coverage and detection rule quality improvements.

Sources

1. Mandiant / M-Trends — "Global Median Dwell Time Statistics 2023," mandiant.com
2. SSSCIP Ukraine — "Cyber Defense Report 2023: Detection and Response Metrics," ssscip.gov.ua
3. CERT-UA — "Annual Statistical Summary of Cyber Incidents 2022-2023," cert.gov.ua
4. IBM Security — "X-Force Threat Intelligence Index, Ukraine-specific Data," ibm.com/security
5. Microsoft — "Digital Defense Report 2023: Ukraine Chapter," microsoft.com/security