Cyber-Attack Dwell Time: How Low Can You Go (Before It Really Helps)?

Dwell time

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Corey Nachreiner of Watchguard Technologies examines how playing limbo with dwell time can knock businesses flat on their backs.

Premium ContentAnyone who has done even a little physical home or office security knows the value of internal motion detectors, cameras, and burglar alarms, even though all these security controls trigger after an intruder has broken in and gotten past your preventative locks, fences, and other barriers. Why are all these post-breach alarms important? Because the alarm is intended to cut down the dwell time of the criminal. If you significantly limit the amount of time an intruder has to do their dirty business, you might still prevent them from attaining their goal or motive. Researchers have found that these sort of burglar alarms, or dwell time deterrents, are effective at dissuading burglars from finishing their crimes, as documented in this study.

Is lowering cyber-criminal dwell time—also conveyed as mean-time-to-detect (MTTD), mean-time-to-respond (MTTR), or some combination of both—as effective at preventing hackers from accomplishing their objectives? That’s what this article explores. My too long; didn’t read (TL;DR) spoiler is lowering cyber threat dwell time always helps some, but until you reduce it to under a few hours or days, many of those cyber-attacks will still succeed in their objective. Often, successful cyber-attacks happen in minutes to hours. Dwell time is less important when criminals go for quick data smash and grabs, especially when data moves at the speed of the wire.

That aside, it’s still worth analyzing how cyber threat dwell time has lowered over time and what security benefits it has.

The Good News: Dwell Time is Down!

Before I burst the bubble, let’s start by celebrating the industry’s improvement, which I believe is due to more organizations deploying better internal detection and response controls (like EDR, XDR, and SIEM tools). According to Mandiant’s M-Trends report for 2022, the median dwell time for cyber threats is down to 21 days in 2021. To put that in better perspective, while that’s only three days lower than 2020’s results, it’s 184 days lower than 2014’s 205 days. Lowering dwell time from about seven months to just under a month is great progress.

That said, not every group monitoring dwell time shows such rosy results. IBM and Ponemon Research have published their Cost of a Data Breach Report for many years and have tracked dwell time-related metrics over a long period. According to their 2022 report, the mean time to identify a threat is 323 days, though it drops to 249 days if the organization has deployed some automated threat detection technology. In any case, with many reports showing dwell times of more than half a year, it is great to see at least one new survey suggesting some organizations are spotting threats or infections within a month.

However, here are the hard questions. Does dwell time going from 200+ days to 21 days really help that much when it comes to mitigating the cyber-attack? The answer is maybe a little, at least for the most sophisticated and targeted breaches like supply chain attacks, but not so much for many other cyber-attacks that can occur in minutes.

While there are exceptions, most network or data compromises require some form of lateral movement before the threat actor reaches their real objective. This is good for defenders from a detection standpoint. It means the first computer the attacker infects, which starts the clock on dwell time, rarely gives the attacker what they need regarding their real motive. For instance, they may have infected the device of a low-privileged and low-ranking employee who doesn’t directly have access to whatever information or resources the attacker really wants. This forces the attacker to spend more time and effort enumerating the target’s internal network to find additional ways to pivot their access to more valuable resources and employees, which might give more time to discover and interrupt the threat. The bad news is this lateral movement tends to be relatively easy to do once attackers have broken past the crunchy exterior of the victim’s defenses and gained access to even a low-privileged computer on the soft and chewy interior. In many cases, lateral movement probably only takes hours to days, or in a more extreme case, maybe a week.

However, lateral movement can take longer for more sophisticated attacks targeting more secure organizations that also deploy internal controls (think segmentation and the zero trust paradigm). For instance, in a software supply chain attack, the threat actor often needs to gain administrative access to source code or software packaging servers. These are usually among the most protected assets in an organization. In those extreme cases, where a victim has good internal segmentation and security, it might take weeks for the attacker to pivot to the intended source code targets in the victim’s network. In that case, organizations that have reduced their cyber threat dwell time to 21 days or less still have a chance to prevent the final attack, even if the attacker technically made it into their systems.

The Bad News: Most Cyber-Attacks Succeed in Minutes to Days!

As you have likely guessed, the problem is that most cyber-attacks complete in well under 21 days, some only taking minutes to hours. While seeing dwell time drop greatly from 200 days to 21 shows good progress for our industry that I’d like to acknowledge, the truth is 21 days is still far too long. If we want breach detection to give us a chance at preventing the repercussions of most cyber-attacks, we need detection and response to complete within 24 hours to a few days at most.

Let me give you an example. Many data breaches where attackers stole huge databases of big companies have been due to SQL injection attacks. Once an attacker finds an exploitable SQL injection flaw on a victim’s website, exploiting it literally takes seconds. Once they exploit the flaw, it might take a few more minutes to craft the right query to suck down the website’s entire SQL database, but at that point, the remaining time for the attack simply has to do with how much data is stored in the database, and the line speeds of the victim and attacker., At worst, it will take about two and a half hours to download one terabyte (TB) of data, but even I can download a terabyte in minutes at home with a consumer 1Gb connection. In other words, many SQL injection attacks go from exploit to sucking down all your database data in under an hour.

That’s just one example, but even with lateral movement, once an attacker is in your network, the path to domain admin credentials is often less than a day. Recently, ransomware authors, like those behind Astrolocker 2.0, have taken up “smash and grab” tactics, where their whole goal is to go in and steal and encrypt data quickly, avoiding the chance of detection that more methodical ransomware campaigns might risk.

In short, many cyber-attacks happen in minutes or hours, so until dwell times hit that scale, we can’t over-celebrate the recent decrease to 21 days, even if it’s exponentially lower than before. Imagine if you had a house alarm that didn’t go off until 21 days after your window was broken. Obviously, the criminal would be long gone with all your valuables; never even hearing said alarm. Until our cyber detection alarms get significantly closer to the initial breach event, like house alarms, we need to continue to drive down threat dwell time by deploying better detection and response tools, such as EDR, XDR, or SIEM systems.

Corey Nachreiner
Follow Corey
Latest posts by Corey Nachreiner (see all)