In conversation with a CISO recently, they said something that stuck in my mind, and made me wonder if actually it means we’re better at defence than we realise.

Richard Starnes, CISO at Six Degrees, said whilst we continue to see breaches happen all the time, “at a general enterprise level companies, are getting more difficult to get into” and “the dwell time is not what it used to be” as companies are proving to be a harder target to penetrate.

Evidence of good defence?

Is a reduced dwell time evidence of good defence? Well firstly it’s important to understand what dwell time actually is, and how it is measured. According to AWS: “attacker dwell time is the average time an unauthorised user has access to a systems or environment” and represents the time frame which begins with the initial time the attacker gained access to a system or environment.

AWS explains that the higher the attacker dwell time, the greater the need to identify which parts of the incident response process need improvement to ensure your teams’ abilities to minimise the impact and scope of threats or attacks in your environments.

The lower the attacker dwell time, the better your teams are at minimising the time and opportunity that a threat or attacker has within your environments, ultimately reducing the risk and impact to your operations and business.

So the lower the time, the better state you’re in: this is very interesting when we look at industry statistics around dwell time.

Median Dwell Time

The 2022 M-Trends report from Google’s Mandiant researchers showed that the global median dwell time decreased from 24 to 21 days between 2020 and 2021. This decreased to ten days in 2022, according to Sophos, whose report found the median dwell time for all attacks in 2022 was ten days, down from 15 days in its last report.

Moving forward to last year, Secureworks found that the median dwell time in ransomware engagements dropped to just under 24 hours, from four and a half days in the previous year.

Now comparing different reports is a challenge, as they work with different customers and different data sets. If we compare to where we were in 2018, the M-Trends report showed an average dwell time of around 101 days, and from that we have to consider if it is that we are getting better at defending, or are the attackers getting in and out faster?

Secureworks said in its 2023 ‘State of the Threat’ report that one reason for reduced dwell time is attackers moving faster to lower the chance of detection. “However, it is also likely that the threat actors now deploying ransomware are just lower skilled than previous operators” it said.

Better attackers?

So that factor could be that attackers are more efficient, and spend less time on a network as they want to leave fewer traces and have malware that can be operated remotely. Gavin Watson, chief consultant at DarkInvader, told SC UK that there has been a shift in focus from stealing data, to getting in and taking as much data as possible.

“There was one period where they were using malware and were staying on there until they were confident they had collected all of the backups, and there was talk about malware laying dormant,” he says.

As a former penetration tester, Watson says that ten years ago, access was a lot easier as there was less use of two-factor authentication, not much use of VPNs, and awareness was not as prevalent. However that has improved, along with the capabilities of technologies, which he praised for detecting anomalies.

Watson considers a reason for the reduction in dwell time is a combination of factors, namely better detection technologies, but also considerations by attackers on getting in and out of a network “as quickly as possible.”

“I also think it's because of the shift in focus, if they can get the privileges quickly, get the ransomware away, get the money and then move on to the next one that is going to affect dwell time,” he says. “Why would you sit on that for a year?”

Ultimately the time an attacker is on the network has reduced considerably and this could be down to several factors that we have addressed here, as well as advanced malware that be dropped and activated remotely - and which does not require lengthy periods of persistence.

Either way, technology and detections are getting better, but so are the attackers and their abilities.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.