Why Dwell Time Continues to Plague Organizations


Global statistics in the most recent Ponemon report on the cost of a data breach show dwell time for malicious attacks has stretched to an average of 229 days. As most IT pros know, dwell time is the period between when a malicious attack enters your network and when it is discovered. Why is dwell time critical? The answer is simple: The longer the dwell time, the greater the potential for extensive damage. Yet, while the concept is easily understood, the fact that average dwell times continue to be weeks and months, rather than minutes or even hours, is less easily explained.

Dwell time represents a failure of both prevention —  the attacker got in —  and detection, which is often called “silent failure” because the victim is unaware a breach has occurred. These failures reflect a growing trend of adversaries innovating faster than defenders.  Cybercrime has developed into an enterprise pursuit involving professional crime syndicates and nation-states —  entities with access to cutting-edge expertise and endlessly deep pockets. These adversaries traverse environments with increasing stealth, often using legitimate system tools to cover their tracks and ensure persistence for long periods of time. This combination of well-funded adversaries and increasingly sophisticated tools, tactics and procedures (TTPs) has left many defenders at a disadvantage, challenged to keep up with the pace of innovation. While next-generation tools are now available to more effectively prevent and detect these advanced attacks, minimizing silent failure and dwell time, many organizations still rely on legacy security systems that criminals can bypass with relative ease. This explains why dwell time continues to be an issue for organizations in every market sector.

Not your father’s eCrime adversary

The evolution of nation-state attacks is particularly troubling as it relates to eCrime. The 2017 Verizon Data Breach Investigations Report (DBIR) found that one in five attacks last year was launched by a nation-state. Many organizations hearing of this statistic might breathe a sigh of relief, thinking themselves unlikely targets for attacks motivated by geopolitical concerns. Unfortunately, a growing number of these attacks —  particularly those emanating from countries struggling economically, such as North Korea — may be, in fact, eCrime attacks bent on financial gain. An article in Time Magazine explains why businesses should expect more state-sponsored attacks going forward. Citing the Korea Institute of Liberal Democracy in Seoul, the article states “North Korea already has an elite squad of 6,800 state hackers who are engaged in global fraud, blackmail and online gambling, together generating an estimated annual revenue of $860 million.”  It means that organizations may be facing a new lineup of complex and well-funded adversaries capable of launching the types of attacks that are stealthy and persistent enough to run up lengthy dwell times.

External notification as an indicator of protracted dwell times

Another statistic in the Verizon DBIR that relates to dwell time is the rate of external notification, which has reached 27 percent. This represents an increase of 25 percent over the previous year.  External notification pertains to victim organizations who were unaware they had been breached until a third-party entity —  law enforcement, a customer, a vendor, etc.  — alerted them. In a typical scenario, an organization gets breached and it’s not detected. Then another organization gets breached by the same bad actor and law enforcement becomes aware of the connection and notifies other victims.  Imagine how much dwell time may have passed between these incidents. Yet, this is the way breaches have been discovered in many high-profile events.

Dwell time and lateral movement are co-dependent

One of the important tactics a lengthy dwell time enables is lateral movement, which is key to increasing the hacker’s chances of achieving their objectives. Lateral movement through the network allows adversaries to find the valuable data they seek – whether it’s network credentials that provide additional unfettered access, or monetizable information such as social security and credit card numbers, healthcare records and intellectual property.  It’s the combination of protracted dwell times and lateral movement that allows adversaries to amplify their success.

Here’s a few reasons why dwell time continues to be such an intractable challenge.

Legacy security solutions: If you’re relying on legacy antivirus to protect your endpoints, you won’t be able to stop the fileless and malware-free attacks that are the hallmark of modern, stealthy threats. The ability of adversaries to easily evade standard security is at the core of many high-profile attacks involving months of dwell time and lateral movement. Upgrading to comprehensive technology that includes next-gen AV and behavioral analysis capabilities is mandatory if you hope to combat today’s sophisticated attacks.

False positives: As more detection features become available, the ability to triage the findings haven’t kept pace. Poor integration of new features — often bundled into traditional security suites — has resulted in countless examples of IT teams ignoring alerts because there were just too many for the in-house staff to investigate.

Failure to prioritize and lack of internal resources: This has been cited as the culprit in a number of high-profile breaches: Organizations lack the IT personnel required to chase down massive volumes of alerts that haven’t been adequately prioritized. Even if you could eliminate more false positives, you might still be stuck with a large number of true positives and no context telling you what to address first.

Long dwell times persist

Persistent and dedicated adversaries aren’t going away, and if you don’t find them for 229 days, the losses could be extreme. That’s why you need endpoint protection that includes  comprehensive prevention, detection and response capabilities, as well as behavioral analytics, machine learning, human analysis, and security hygiene, if you want to cover all your bases.

To learn more about the attack trends responsible for protracted dwell times, and how you can employ security strategies to better protect your organization,  attend this live webcast: The Modern Attack Landscape: Verizon’s Analysis of their 2017 Data Breach Investigations Report (DBIR) featuring Verizon Senior Analyst Suzanne Widup and CrowdStrike VP of Product Management Rod Murchison.

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial