Dwell time declining: Good news or bad?

Google Mandiant researchers have recently found that the average “dwell time” for cyber attackers has been declining. Whether this is good, bad, or a mix of both depends on what exactly is driving it.

What is dwell time?

Dwell time is simply the length of time that a cyber intruder retains access to a network that they have penetrated. 

Dwell time comes to an end for one of three reasons:

1. The victim detects the intrusion and responds to evict and block it.

2. The attacker achieves their goal, such as exfiltrating stolen data, and withdraws from the network. Of course, in this case they retain the ability to return at any time and are very likely to do so.

3. The attacker detonates a noisy payload, most commonly a ransomware attack, thereby announcing their presence.

Different types of attacks, with different goals, tend to have widely differing dwell times. For example, a ransomware attack typically has a dwell time measured in days or weeks at most. Once they have found and compromised the data they want to hold for ransom, they no longer have any reason to extend their dwell time, especially since that would only expose them to greater risk of discovery.

At the opposite extreme, recently discovered intrusions into critical infrastructure systems by the Chinese hacking group Volt Typhoon were found to have been in place for up to five years in some cases (see this recent blog post for more details). One reason they went so long undetected is that they did not have any immediate espionage or data-theft objectives, so that their lateral movement or other in-network activity was extremely limited. Another is that they were leveraging advanced living-off-the-land (LoTL) techniques to further minimize traces of their presence.

Why are dwell times getting shorter?

So, what is driving the reduction in average dwell times? Well, it’s a number of related factors working together.

On one hand, advances in security technology and strategy have made it easier for organizations who implement them to detect threats residing in their networks. Extended detection and response (XDR) and especially managed XDR solutions (such as Barracuda Managed XDR) make it far more likely that anomalous behavior in the network will be detected and responded to. And this is just because all activity is being actively monitored 24/7, something that is impossible for typical IT teams with limited resources.

And on the other hand, attackers have responded to this increased detection capability by accelerating their processes. Threat actors who once might have taken the time to fully explore a target network—making sure to acquire the highest access levels and to discover any and all data that might be of value—now have a more rushed agenda. They’re more likely to get what they can as fast as they can and be content to have gotten something rather than nothing before being detected and evicted.

Ransomware actors in particular are speeding up their attacks, going noisy as soon as they have a decent amount of data under their control. That’s why ransomware threats have seen the greatest decline in dwell time, from an average of 10 days down to five. 

For many types of threats, gaining access to Active Directory systems is a critical early step. The time it takes sophisticated attackers to do this—and to gain the ability to escalate their access privileges—is now down to an average of 16 hours. 

What it means for you

To answer the title question, this really isn’t especially good or bad news, it’s just the natural outcome of the eternal arms race between threat actors and security professionals.

It does, however, indicate that it’s increasingly important for all organizations to implement modern detection and response strategies that leverage AI, automation, and dedicated personnel to provide 24/7 monitoring—i.e., XDR if you have a well-resourced SOC, and managed XDR if you don’t.