Whether it is a burglar in your home or a hacker in your network, if you can limit the time before they are spotted and stopped in their tracks, you might prevent them from achieving their goal.
So, if we can lower cyber dwell times, also known as meantime-to-detect (MTTD), mean-time-to-respond (MTTR), or a combination of both, it should help in reducing the impact of cyber crime. But while lowering cyber threat dwell times always help, until you lower them to under a few hours or days, many cyber-attacks will still succeed. Often, successful cyber-attacks happen in minutes or hours. Dwell time is less important when criminals go for quick data smash and grabs.
That aside, it’s worth analysing how cyber threat dwell time has lowered over time and what security benefits that has.
Dwell time is down
The reduction in dwell times is largely down to more organisations deploying better internal detection and response controls such as EDR, XDR and SIEM tools. According to Mandiant’s M-Trends report for 2022, median dwell time for cyber threats was down to 21 days in 2021. While that’s only three days lower than 2020’s results, it’s a massive 184 days lower than 2014’s result of 205 days. Lowering dwell time from about seven months to just under a month is certainly progress.
That said, not every group monitoring dwell time shows such rosy results. IBM and Ponemon Research have published their Cost of a Data Breach Report for many years, tracking dwell time related metrics over a long period. According to the 2022 report, the mean time to identify a threat is 323 days, though it drops to 249 days if the organisation has deployed some automated threat detection technology. With many reports showing dwell times of more than half a year, it is gratifying to see at least one new survey suggesting some organisations are spotting threats or infections within a month.
However, does dwell time going from 200+ days to 21 days really help that much when it comes to mitigating cyber-attacks? The answer is maybe a little, at least for the most sophisticated and targeted breaches like supply chain attacks; but not so much for many other cyber-attacks that can occur in minutes.
While there are exceptions, most network or data compromises require some form of lateral movement before the threat actor reaches their real objective. This is good for defenders from a detection standpoint. It means the first computer the attacker infects, which starts the dwell time clock, rarely gives the attacker what they need as far as their real motive.
For instance, they may have infected a device of a low privilege, low-ranking employee, which doesn’t directly have access to the information or resources the attacker really wants. This forces the attacker to spend more time and effort moving across the target’s internal network to find additional ways to pivot their access to more valuable resources and employees, which might give defenders more time to discover and interrupt the threat.
The bad news is that this lateral movement tends to be relatively easy to do once attackers have broken through the perimeter defences. In many cases, lateral movement probably only takes hours to days. However, for sophisticated attacks targeting more secure organisations that also deploy internal controls, such as segmentation and the zero trust paradigm, lateral movement can take longer.
For instance, in a software supply chain attack, the threat actor often needs to gain administrative access to source code or software packaging servers. These are usually among the most protected assets in an organisation. In such extreme cases, where a victim has good internal segmentation and security, it might take weeks for the attacker to pivot to the intended source code targets in the victim’s network. In that case, organisations that have reduced their cyber threat dwell time to 21 days or less still have a chance to prevent the final attack.
Succeed in minutes or days
The problem is that most cyber-attacks complete in well under 21 days, some only taking minutes. While seeing dwell time drop from well over 200 days to 21 shows good progress, the truth is 21 days is still far too long. If we want breach detection to give us a chance at preventing the repercussions of most cyber-attacks, we need detection and response to complete within 24 hours to a few days at most.
For example, many data breaches where attackers have stolen huge databases from big companies have been due to SQL injection attacks. Once an attacker finds an exploitable SQL injection flaw on a victim’s web site, exploiting it literally takes seconds. It might take a few more minutes to craft the right query to suck down the web site’s entire SQL database, but at that point, the remaining time for the attack simply relates to how much data is stored in the database, and the line speeds of the victim and attacker. At worst it will take about two and a half hours to download one terabyte of data. In other words, many SQL injection attacks go from exploit to sucking down all your database data in under an hour.
Even with lateral movement, once an attacker is in your network, the path to domain admin credentials is often less than a day. Recently, ransomware authors like those behind Astrolocker 2.0, have taken up ‘smash and grab’ tactics, where their goal is to steal and encrypt data fast, avoiding the chance of detection that more methodical ransomware campaigns might risk.
In short, many cyber-attacks happen in minutes or hours, so until dwell times hit that scale, we can’t be complacent with the decrease to 21 days.
Until our cyber detection alarms get significantly closer to the initial breach event, like house alarms, we need to continue to drive down threat dwell time by deploying better EDR, XDR and SIEM detection and response tools.