Join Us at Our Upcoming Events Events
Skip to Main Content

5 Key Things to Know About Attacker Dwell Time

Imagine someone breaking into your house and going room to room for up to 300 days before you notice they stole your things. 

It sounds unlikely. 

But this is increasingly the case in the cyberworld and across corporate networks.

Dwell time: infection to detection

We are talking about dwell time, which occurs after an attacker gains access to your network. How long will it be until you detect them once they are inside your environment? 

Mandiant just released new research on this topic. And the numbers are frustrating to read.

  • Median dwell time dropped: sounds good, but researchers say this is largely because ransomware operators are speeding up the pace of their attacks to increase the number of targets and profits.
  • Longer dwell times are surging:
    “Mandiant experts observed a spike in dwell times between 90 and 300 days with 20% of investigations falling into this range.”
  • Extreme dwell time remains significant:
    “Eight percent of investigations revealed dwell times of more than a year and a half, while half of these had dwell times of more than 700 days.”

All of these findings underline the amount of cyber risk organizations face. That is why getting perspective on the attacker dwell time issue can be extremely valuable.

5 Key Takeaways About Undetected Attacks

We see five significant takeaways from the cybersecurity attacker dwell time problem.

1. The growth of long-term dwell times represents organizations having a more challenging time detecting threats within their more complicated, hybrid networks. 

2. Where dwell time drops into the ‘under 30 days’ category, successful ransomware attacks still result. Ransomware operators are moving faster to increase profits.

3. There are newer, more sophisticated threats. Computer Weekly explains:
“Last year, researchers started tracking over 1,100 new threat groups and 733 new malware families, of which 86% were not publicly available.”

4. Threat actors are hiding within encryption and using custom code. Thomas Pore, Security Product Director at LiveAction, paints the picture here:
“The attackers have an advantage, and that primary advantage is hiding with encrypted traffic. Weaponized vulnerabilities are created and outpacing the ability to patch. They are writing custom malware as soon as someone discloses a vulnerability.”

5. Too many organizations are relying on outdated tools. Encryption blocks rule-based approaches that depend on inspecting packet contents (DPI), and custom malware defeats attempts to decrypt network traffic.

This is where an approach like Deep Packet Dynamics stands in the gap.

Detecting Advanced Threats with NDR

A lack of visibility into encrypted traffic is creating blind spots. This scenario leads to missed threats in the network and also increases attacker dwell time.

As a result, many organizations are turning to Network Detection and Response platforms to solve this problem.

One example is LiveAction’s NDR solution, called ThreatEye. It gets away from DPI (packet inspection) and focuses on DPD (packet dynamics). Thomas Pore explains how it operates. 

“ThreatEye’s Deep Packet Dynamics (DPD) is agnostic to packet contents and is used to create a historical inventory of traits and behaviors for profiling and fingerprinting. This technique works equally well with both encrypted and unencrypted traffic. 

The platform then applies Machine Learning models to identify advanced behavioral threat actor anomalies. The result is real-time detection capabilities across your environment, from core to cloud.”

See the advantage this approach gives you on this interactive feature, Anatomy of a Ransomware Attack

Regardless of the approach you choose, make sure it can detect advanced threats, including attackers hiding within encryption. 

That will give your team the power to cut attacker dwell time and reduce the risk of a successful cyberattack.