We see a lot of marketing claims on how various security solutions can reduce “Dwell time”. According to Optiv, “Dwell Time represents the length of time a cyber attacker has free reign in an environment from the time they get in until they are eradicated. Dwell Time is determined by adding Mean Time to Detect (MTTD) and Mean Time to Repair/Remediate (MTTR) and is usually measured in days. It is sometimes referred to as the breach detection gap.”
According to the latest Cost of a Data Breach Report published by IBM, in 2021 attackers can be in your network for a mind-boggling average of 287 days before they are discovered and kicked out. They may be stealing data, harming systems, or just lurking until a lucrative ransomware opportunity presents itself. Despite the best efforts of organizations including investment in endpoint platforms, attack surface management and SIEMs, that number doesn’t seem to be going down substantially. In fact, in each of the last 7 years, the average time to identify and contain a breach has continued to exceed 250 days.
Dwell Time as an Incredibly Effective Attack Technique
Threat Actors use Dwell Time to stay within your network as long as it takes to accomplish their end goal whether it is data theft, ransomware and/or vandalism. It requires a lot of patience on the attacker’s part as it helps them evade detection by both human analysts and XDR tools. Why is that?
Security teams, specifically Security Operations Center (SOC) teams, if a company has that luxury, are flooded with large numbers of events that often come into the SOC platform and/or SIEM. Out of all these events, these platforms attempt to highlight indicators of compromise (IoCs) that MAY indicate suspicious behavior. For example, a user incorrectly logging into their laptop may be a user who has forgotten their new password or the start of a brute force attempt by an attacker trying to discover their password. However, those are both very different in terms of being a threat.
XDR and SIEM have been built in recent times to correlate various IoCs and combine them with other IoCs, to determine if together they represent a real threat. It is similar to taking puzzle pieces and combining them to build an attack campaign puzzle.
With Dwell Time, threat actors do nothing for days or even weeks and often do small bursts of activity that in isolation look harmless. Humans let alone correlation engines struggle to piece together IoCs over long periods of time to determine if the activity is related. How could I possibly know that an illegal password attempt is related to a large file download three weeks later?
The Rise of Buzzword Machine Learning/Artificial Intelligence
Too many security companies incorporate what has become marketing buzzwords than include Machine Learning (ML) and Artificial Intelligence (AI) that claim to better correlate these seemingly random IoCs. The reality is that the majority of these, while superior to legacy SIEM correlation rules are nothing but static, rules based engines that need to still be updated constantly just like signatures.
This does not solve the problem of threat actors that vary their activity or even their timeframes to confuse these rules-based engines. What is effective is true security analytics that leverages ML/AI to adapt to changes in the behaviors and activity on the fly without requiring updates to handle variants or new attacks. This was the same flaw with signature-based IPS. A small variant could easily bypass a static signature and security vendors could never keep up with all the variants. This means that behavioral based modeling and analytics that leverages true ML/AI is the start of getting ahead of these attacks. Once again, that is just the start. The number and power of the models built, the adaptability and various implementations of these models across, users, identity and access, riskiness, assets, etc., have to work together to be effective at thwarting Dwell Time.