dwell time

The problem with dwell time: Why organizations need better incident response

Print Friendly, PDF & Email

The threat landscape continues to evolve at a dizzying pace. That’s bad news for network defenders unable or unwilling to adapt as the sands shift beneath their feet. The latest research suggests that the offensive team continues to have an advantage. After all the chaos and disruption that marked the first year of the pandemic, it seems that threat actors are actually getting even better at exploiting flat-footed businesses.

There’s no silver bullet for fixing this situation. But effective incident detection and response should be a part of every SMB’s security strategy. Without it, that dwell time will continue to grow, and with it, the potential financial and reputational impact on victim organizations.

Why does dwell time matter?

Put simply, dwell time measures how long intruders are allowed to remain inside victim networks before they are spotted and kicked out. It stands to reason that the longer the dwell time, the more damage they can do, and the more expensive the clean-up operation will be. It should be of some concern that median dwell time rose from 11 days to 15 between 2020 and 2021.

Although separate research from April indicates the figure is heading in the other direction, from 24 to 21 days, it was far worse in EMEA last year (48 days). It’s telling that most responding organizations had to be informed of the intrusion by a third party rather than discovering incidents themselves.

What else can we say about the way cybercriminals work today?

  • Vulnerability exploits are among the most popular access vectors.
  • Initial access brokers (IABs) are everywhere. These cybercriminals specialize in compromising victims and then selling that access to others, making security breaches far more likely.
  • The remote desktop protocol (RDP) was used less for initial access in 2021 but is still a valuable tool for lateral movement. Organizations often misconfigure these endpoints, for example by failing to update to strong, unique passwords.

How to reduce dwell time

Ransomware remains a persistent threat. Given that some ransomware payloads can encrypt 100,000 files in just four minutes, the best chance organizations have of mitigating the threat is to prevent breaches outright or catch them earlier in the kill chain. Prevention entails a range of best practice steps including:

However, prevention is never 100% effective. This is especially true today, after pandemic-era digital spending increased organizations’ attack surfaces several-fold. A determined attacker will always find a way in, whether it’s via stolen or brute-forced credentials, exploiting unpatched vulnerabilities, or leveraging another vector.

The power of incident response

This is where incident response comes in. Ideally, organizations should complement their cyber hygiene best practices and preventative controls with monitoring tools at the email, network, endpoint, and cloud layer. Because these look for behavioral clues rather than the presence of malware, they can be used to spot even covert “living off the land” and other techniques that threat actors typically use to fly under the radar of legacy tooling.

Most importantly, these detection and response tools should flag with a high degree of certainty when something doesn’t look right, to maximize the time of stretched IT analysts who will otherwise be swamped with false positives. Then it’s a case of investigation, remediation, and response — kicking the bad guys out, fixing any problems and building resilience for the next time.

It goes without saying that such tools should be deployed as part of a well-planned and regularly practiced incident response strategy. It might seem like overkill now. But advanced planning can minimize dwell time and the overall impact of a breach, so your business will live to fight another day.

Respond faster to email attacks.

Scroll to top