Skip to main content
Cybersecurity

A low ‘dwell time’ reflects a high-speed security landscape

Dwell time dips down, but hasty hackers still have the upper hand
article cover

Francis

Francis

4 min read

An April report from the cybersecurity firm Mandiant showed a continued decline in an intrusion figure known as “dwell time.” The reduction in dwell time, though encouraging, also suggests that attackers and defenders alike are working at a faster pace than ever in an increasingly complex threat landscape.

According to the M-Trends 2022 Report from the Virginia-based Mandiant, global median dwell time—or the duration an attacker is present in a target’s environment before being detected—has decreased by three days.

For intrusions investigated between October 1, 2020, through December 31, 2021, the median number of days between compromise and detection was 21, down from 24 days in 2020, said the researchers.

The trend is a promising, “demonstrable” advancement, Steven Stone, vice president of Mandiant’s advanced practices group, told IT Brew.

“We’re seeing some really robust improvement in dwell time year over year over year. That’s the good news,” said Stone. “The bad news is 21 days is still an awful lot of time for an attacker to potentially have access to an environment.”

Or another way to represent the good news/bad news:

“We’re seeing defenders move faster than ever. We’re seeing attackers move faster than ever,” said Stone.

The dwellers

The Mandiant report arrives after some notable recent attacks featuring some extended dwell time.

One of the higher-profile compromises—a supply-chain attack on the IT-support software company Solar Winds—found its way to at least 18,000 systems prior to detection. First reported in December of 2020, attackers may have had access to systems for more than a full year, beginning at least in September 2019.

Just this month, Mandiant discovered a cyberespionage intrusion that remained on a network for 18 months.

The not-dwellers

Some attackers, however, are less concerned about hanging out. Deployers of ransomware, for example, have a way of eventually announcing themselves and saying, “Pay us.”

The Mandiant report noted that, in 2021, 23% of intrusions involved ransomware compared to 25% in 2020, and that ransomware attacks continue to drive down dwell times.

An April finding from DFIR showed similar signs of rapid ransomware, including a domain-wide deployment—from access to encryption—in three hours and 46 minutes. “That’s very different from a traditional espionage intrusion, where the last thing they want to do is reveal that they’re on that machine,” said Stone.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The demonstrable improvement

When compared to years of cyberspies hiding out on a network, 21 days of dwell time is a positive indicator that security has become a priority in the enterprise, said Allie Mellen, security and risk analyst at the Cambridge, Massachusetts-based research firm Forrester.

“It’s likely a combination of the maturity of the industry, not just the tools that are being developed to detect these trends, but also the processes that security leaders are putting in place,” Mellen told IT Brew. “CISOs have more business buy-in. They’re getting more attention from the board than they ever have before.”

Can smaller organizations keep up?

While defenders and attackers are moving faster than ever, however, smaller organizations still may not be able to move with swift speeds.

“Most midsize and small organizations still have a very limited budget and a very limited capability to support any type of real robust security function in the enterprise,” said Mellen.

The Mandiant report pulled data from environments of clients, many of which are Fortune 500 companies, said Stone. Smaller organizations, ones lacking sophisticated detection technology, may be at a disadvantage.

Michael Arnold, consultant for the Wisconsin-based ITNS Consulting, works with clients whose size ranges from three employees to 300 employees, and effective network-monitoring tools may be out of reach for these smaller businesses.

“Logging user activity, logging data activity, access activity, identity management, those kinds of things become very difficult for smaller businesses to be able to afford on their own, generally, because there’s a high cost of entry,” Arnold told IT Brew. “And then, of course, you have to have somebody knowledgeable enough to be looking at those logs.”

Overall, however, Arnold finds reduced dwell times encouraging.

“I absolutely do,” said Arnold. “I wish that that was happening more in the small business space.”—BH

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.