Blog

What is attack dwell time, and how does it impact exploit chains?

According to a recent report by Sophos, the dwell time for cyberattacks in the first half of 2023 has decreased to a median of eight days. Sophos attributes this to increased detection capabilities, allowing organizations to "shift left" and allocate more time for response. However, attackers are working more quickly to exploit these shorter timeframes, marking a two-day reduction from Sophos' 2022 findings.

Ransomware incidents are significantly influencing this shift. In the first half of 2023, the median dwell time for ransomware attacks has sharply decreased from 9 days to 5 days. In contrast, non-ransomware incidents have seen a slight increase from 11 days to 13 days.

Other interesting findings indicate that 61% of attacks, including ransomware, are concentrated in the middle of the workweek, with a steady increase in detections as the week progresses. Ransomware attacks exhibit a preference for launching on Fridays, with 43% occurring on Fridays or Saturdays.

So what should you know about attack dwell time to better understand and enhance your organization's security posture? Let's explore:

What Is Attack Dwell Time?

Attack dwell time is when an attacker remains undetected within a targeted network or endpoint. Dwell time starts immediately after an initial malware infection has taken place and continues until the malware has been completely removed from a device.

Understanding dwell time is essential because it sheds light on the effectiveness of an organization's cybersecurity defenses and the attacker's ability to move laterally, escalate privileges, and achieve their primary objectives during this period. For context, let's review the stages of a typical cyber attack that uses malware. 

How Does Dwell Time Factor Into A Cyber Attack?

According to The Cyber Kill Chain, a framework for cybersecurity strategy every cyber attack follows a predictable trajectory of stages, and preventing any stage can prevent attackers from achieving success. When we consider dwell time, we are only concerned with the latter stages of the Kill Chain, (5) Installation, (6) Command and Control, and (7) Actions on Objectives.

By isolating these stages we can evaluate what happens once malware has achieved initial access and why reducing dwell time is so important:

• Installation: After successfully exploiting a vulnerability, attackers move on to the "Installation" stage. Here, they install malicious software or code on the compromised system. This malicious payload typically includes backdoors or rootkits, ensuring persistent access and control.

• Command and Control (C2): The malware establishes communication with a remote Command and Control server operated by the attacker. This server acts as a central command hub, enabling the attacker to maintain control over the compromised system, issue commands, import additional malware tools, and exfiltrate stolen data.

• Actions on Objectives: During this phase, attackers search for high-value targets, which may include sensitive data theft, deploying ransomware, conducting Denial of Service (DoS) attacks, or even destructive wiper attacks. These objectives can vary widely, including data exfiltration, ransomware attacks, denial of service (DoS) disruptions, destructive attacks, espionage, or other activity for financial gain such as installing crypto-mining software.

The longer adversary activity remains undetected during these stages, the more damage they can inflict. Effective detection and response are essential to mitigate the impact of these attacks.

Reducing Dwell Time Depends On Detection And Response

The key to reducing attack dwell time is effective detection and response capabilities. Swift detection is critical for mitigating the overall damage caused by an attack, as it allows for containment measures to be implemented promptly, and a swift return to normal operations.

An IT security team's ability to detect threats efficiently depends on various factors. These include the complexity of their IT environment and the effectiveness of their detection solutions such as Endpoint Detection and Response (EDR) and Network Intrusion Detection Systems (NIDS). However, the expertise and experience of the defenders tasked with configuring these cybersecurity solutions and ensuring they are functioning properly is also a critical contributing factor to gaining the edge from early detection.

Furthermore, testing is essential to validate the functionality of an organization's planned security controls, ensuring they can accurately identify and respond to emerging threats.

How Purple Teaming Helps Reduce Attack Dwell Time

Purple teaming, a critical component of a proactive cybersecurity strategy, is pivotal in reducing attack dwell time by enhancing an organization's detection and response capabilities. It operates under the assumption of a breach and focuses on simulating real-world attack scenarios.

Here's how Purple Teaming contributes to attack dwell time reduction:

• Assumed Breach Scenarios: In a Purple Teaming engagement, the Red Team, composed of skilled penetration testers, simulates cyber-attacks that use the same tactics and techniques of known adversaries. The Red team can also immediately assume the position of a cyber attacker who has already gained an initial foothold on an organization's network. This approach aligns with stages 4 through 7 of The Cyber Kill Chain, covering installation, command and control, and actions on objectives, and allows defenders to immediately test their skills against scenarios that count the most - when attackers are progressing towards their final objectives.

• Blue Team Assessment: While the Red Team conducts these simulated attacks, the organization's defenders, the Blue Team, are actively engaged in monitoring and defending against these simulated threats. They can exercise their detection capabilities, including their ability to use the tools of the trade such as Endpoint Detection and Response (EDR) solutions, and Network Intrusion Detection Systems (NIDS).

• Testing Against Real-World Attack Tactics: Purple Teaming provides a controlled yet realistic environment for testing detection and response mechanisms. It allows security professionals to evaluate how well their systems and defenders can identify and counteract threats at various stages of an attack, including those critical stages at the beginning of an attack to reduce dwell time and prevent action on objectives.

This proactive approach enables security teams to become more adept at identifying and thwarting malicious activities swiftly, enhancing the overall cybersecurity posture of the organization. By actively practicing and refining their detection and response strategies organizations can better prepare for real-world cyber threats and reduce dwell time. 

Conclusion

Dwell time in cyberattacks has notably decreased due to improved detection and response capabilities, but attackers have begun to increase their pace as well as taking action on objectives sooner. The later stages of a cyber attack: Installation, Command and Control, and Actions on Objectives are critical because they define what happens after initial access. Effective detection and response are key to dwell time reduction.

IT security teams must consider factors like IT environment complexity, the efficacy of solutions (e.g., EDR and NIDS), and the expertise of defenders. Rigorous testing is essential for ensuring functional security controls.

Purple Teaming's assumed cyber-breach simulation can play a significant role in reducing attack dwell time by allowing an organization's Blue Team to hone their detection and response skills while under fire from realistic attacks. In this way, Purple Teaming enhances readiness to counter threats swiftly and improves an organization's overall cybersecurity posture.

Looking to take the next step towards reducing attack dwell time and bolstering your organization's overall security posture? Reach out today (or download our complimentary Buyer's Guide.)