The Story Behind Dwell Time

by Peter Varhol on November 1, 2021

“Dwell time” represents the time attackers are in your computing environment before finding them and remediating the invasion. It may surprise many that it can, and often is, quite a long time.

According to the latest Cost of a Data Breach Report published by IBM, in 2021 attackers can be in your network for a mind-boggling average of 287 days before they are discovered and kicked out. They may be stealing data, harming systems, or just lurking until a lucrative ransomware opportunity presents itself. Despite the best efforts of organizations, that number doesn’t seem to be going down substantially. In fact, in each of the last 7 years, the average time to identify and contain a breach has exceeded 250 days.

How are attackers staying hidden for so long? And how can we find them and what can we do about them?

Searching for Dwellers

Understanding the possible threats is an essential first step. Threats can come in a wide variety of sources, including internally, attempted phishing attacks, social engineering, or software and OS vulnerabilities, to name a few. IT and SOC professionals need to map out the various scenarios, and have a playbook and response ready for each.

Using the right tools is also a key ingredient. But it’s more than just selecting network security solutions; it’s knowing how to properly use those tools and interpret the results. An attacker isn’t going to draw attention to himself until he is ready to do so through an act of theft or ransom. Tools that collect and analyze network, system, and application data to identify and pinpoint unusual activities represent the best way of searching without the attacker’s knowledge.

Sponsorships Available

In the military, we called this a passive search, a way of listening to what is going on without alerting the adversary. By utilizing data that we are already collecting, we can perform comprehensive searches for dwellers without letting on that we are doing so.

Getting the Most from Your Data

However, identifying unusual activities is necessary but not sufficient to find dwellers. An unfiltered approach to data analysis will likely generate a large number of false positive results, an activity that may be unusual but legitimate. SOC analysts could well be overwhelmed by seemingly real threats that turn out to be spurious.

Here’s where machine learning models can come into play. Using machine learning, modern cybersecurity software can create models of normal activities that learn and adapt based on incoming data, and more readily flag true positives, saving time and effort for security analysts. Gurucul has over 2500 of these types of models, which provide intelligence to filter data so that only the highest risk anomalies will need to be investigated.

How Attackers Get into the Network

Individual users are often a weak link into the computing environment, either through social engineering or a phishing attack. In this sense, attackers may end up with legitimate account credentials from unsuspecting users. Educating and maintaining contact with users can alert them to the potential for compromise, so that they keep cybersecurity on their minds in their daily activities.

But there are other ways in. Attackers can obtain the structure of usernames for a particular enterprise, then try to hack in using brute force passwords, or by using guesswork depending on the user. And using techniques such as SQL injection can give attackers the ability to get into a database with administrative credentials.

Software exploits, either zero day exploits or vulnerabilities that haven’t yet been patched, represent another common way in. If a patch exists, IT staff should apply it as soon as it is tested in their environment. IT teams have to be in regular contact with their software vendors and internal software architects to be up to date on the latest vulnerabilities and patches.

Many smaller organizations can’t afford to hire dedicated security staff, making cybersecurity just one more additional duty for IT. IT budgets are expected to increase 2 percent in 2021 and 3.6 percent in 2022, according to a Gartner survey of IT executives and reported by the Wall Street Journal. 48 percent of companies surveyed plan to spend more on cloud platforms and two-thirds of the executives plan to invest more specifically in cybersecurity. An investment today in better cybersecurity practices will pay off highly in the future.

Reduce Cyberattack Dwell Time by Accelerating MTTD

Despite the sobering statistics, it is possible under many conditions to find attackers more quickly, and kick them out. Early detection is key and real-time detection is the holy grail. Ideally, you want to stop cybercriminals from gaining a foothold in your network in the first place. Accelerating Mean Time to Detect (MTTR) is the most important factor in reducing dwell time. Advanced real-time threat detection requires modern AI-powered tools, established and documented analytical and search processes, a dedicated security staff, and the cooperation of individual computer users.

A good place to start is the MITRE ATT&CK framework. ATT&CK can help cyber defenders develop analytics that detect the techniques used by an adversary. Gurucul offers a full 83 percent coverage of the MITRE Tactics, providing a robust way of automatically detecting and responding to attacks before bad actors become dwellers. Many of these attacks represent ways to get into a system, and to cause damage once there, so they are important to identify and remediate quickly, before any real damage is done.

Gurucul also has models for detecting the most common attacks in many vertical industries, such as healthcare, finance, and retail. Each vertical component set incorporates common use cases for threats, such as payment fraud, data exfiltration, and privacy protection, as well as an automatic means of identifying and initially responding to attacks.

For common attack vectors, Gurucul also provides out of the box identification and solutions for insider threats and account compromise, among others. User and Entity Behavior Analytics (UEBA) plays an important role here, by enabling the recognition of risky anomalous behavior and activities using machine learning models. Gurucul’s risk-based behavior analytics significantly reduces false positives and helps security teams quickly find and address breaches leveraging behavior analytics.

Minimize Cyberattack Dwell Time by Automating MTTR

Mean Time to Remediate/Respond (MTTR) is also an important consideration in reducing dwell time. By providing automatic initial responses, coupled with actionable intelligence to security professionals, Gurucul products do more than simply find dwellers. They also help take actions to remove them from the computing environment. Gurucul Risk-driven SOAR (Security Orchestration, Automation, and Response) is an essential tool in understanding the risks involved with various activities, and initiating remediation automatically.

Dwell time remains a major concern for organizations seeking to ensure that their networks and systems aren’t compromised. It’s not always possible to keep attackers out; however, once they are in and traversing the network, they are leaving footprints that analytics and risk-based cybersecurity products can find and fix. It simply requires the skills, tools, and emphasis to do so.

Summary: Decreasing MTTD and MTTR is Key to Reducing Dwell Time

Dwell time is still very much a problem, even with increased awareness
Solutions must address both detection and response to effectively eliminate or significantly reduce dwell times
Attackers are using automated tools to infiltrate your network, so you need to make use of automated defenses
The key to an effective solution is machine learning and analytics to address dwell time at scale

Attend Our Webinar

Join Gurucul as we will look at the tactics and techniques that criminals use to get into the network and stay undetected. We’ll discuss the failures of detection technologies and what can be done to improve Mean Time To Detect (MTTD). We’ll also look at response breakdowns and what you can do to progress Mean Time To Respond (MTTR).

Webinar: Dwell time: How are attackers staying hidden for so long?

Date/Time: November 4, 2021 at 11:00 am PT