Falling Dwell Time May Be Due to Faster Threat Activity

Written by

Median attacker dwell time decreased from 15 to 10 days globally last year, but the decline may indicate that threat actors are achieving their goals more quickly, according to Sophos.

The security vendor compiled its Sophos Active Adversary Report for Business Leaders from 152 incident response investigations spanning the globe.

It found non-ransomware dwell times declined from 34 days to 11 days last year, while dwell times for ransomware-related breaches declined from 11 to 9 days.

Read more on dwell time: Global Dwell Time Drops but EMEA Lags.

A Mandiant study out last week put the median figure globally at 16 days – the lowest since it began tracking the statistic over a decade ago.

However, as the Google-owned intelligence vendor argued at the time, this is not necessarily a sign of network defenders getting better at spotting attacks. It may be that the attackers have worked through their kill chain stages and increasingly want to be detected more quickly so they can be paid or are in the process of launching destructive/disruptive payloads.

Sophos also warned against an over-simplistic interpretation of the data.

“The good news is that it might signal improvement in the detection of active attacks – a real improvement for defenders and their capabilities,” it claimed. “The bad news is that the attackers might be speeding up their efforts in response to improvements in detection capabilities. We’ll be watching dwell-time statistics in particular throughout 2023 to see if we’re observing a sea change in the ongoing back-and-forth between defenders and attackers.”

Elsewhere, Sophos revealed that exploited vulnerabilities remained the most common method of initial access, accounting for 37% of breaches analyzed. Over half (55%) of these were exploits of ProxyShell or the Log4Shell vulnerability, which should have been patched by victim organizations at the time.

The second most common method of initial access was compromised credentials (30%), which Sophos said often indicates the work of an initial access broker (IAB).

Nearly a fifth (17%) of incidents had an “unknown” root cause. Organizations must get better at logging, and backing up their logs, to improve visibility, Sophos argued.

“The problem with ‘Unknown’ is that it prevents full remediation. If the organization does not know how the attackers get in, how will it fix the problem to prevent future attacks?” the report noted.

“Sometimes attackers wipe the data to erase their tracks, certainly, but other times the defenders will re-image systems prior to starting an investigation. Some systems are configured to overwrite their logs too quickly and/or frequently. Worst of all, some organizations do not collect the evidence in the first place.”

What’s hot on Infosecurity Magazine?