A report from the cybersecurity firm Mandiant showed a continued decline in an intrusion figure known as “dwell time.” The reduction in dwell time, though encouraging, also suggests that attackers and defenders alike are working at a faster pace than ever in an increasingly complex threat landscape.
According to the M-Trends 2022 Report from the Virginia-based Mandiant, global median dwell time—or the duration an attacker is present in a target’s environment before being detected—has decreased by three days.
For intrusions investigated between October 1, 2020, through December 31, 2021, the median number of days between compromise and detection was 21, down from 24 days in 2020, said the researchers.
The trend is a promising, “demonstrable” advancement, Steven Stone, vice president of Mandiant’s advanced practices group said.
“We’re seeing some robust improvement in dwell time year over year over year. That’s the good news,” said Stone. “The bad news is 21 days is still an awful lot of time for an attacker to potentially have access to an environment.”
Or another way to represent the good news/bad news:
“We’re seeing defenders move faster than ever. We’re seeing attackers move faster than ever,” said Stone.
The Mandiant report arrives after some notable recent attacks featuring some extended dwell time.
One of the higher-profile compromises—a supply-chain attack on the IT-support software company Solar Winds—found its way to at least 18,000 systems before detection. First reported in December of 2020, attackers may have had access to systems for more than a full year, beginning at least in September 2019.
Just this month, Mandiant discovered a cyber espionage intrusion that remained on a network for 18 months.
Some attackers, however, are less concerned about hanging out. Deployers of ransomware, for example, have a way of eventually announcing themselves and saying, “Pay us.”
The Mandiant report noted that, in 2021, 23% of intrusions involved ransomware compared to 25% in 2020, and that ransomware attacks continue to drive down dwell times.
An April finding from DFIR showed similar signs of rapid ransomware, including a domain-wide deployment—from access to encryption—in three hours and 46 minutes. “That’s very different from a traditional espionage intrusion, where the last thing they want to do is reveal that they’re on that machine,” said Stone.
The demonstrable improvement
When compared to years of cyberspies hiding out on a network, 21 days of dwell time is a positive indicator that security has become a priority in the enterprise, said Allie Mellen, security and risk analyst at the Cambridge, Massachusetts-based research firm Forrester.
“It’s likely a combination of the maturity of the industry, not just the tools that are being developed to detect these trends, but also the processes that security leaders are putting in place,” Mellen said. “CISOs have more business buy-in. They’re getting more attention from the board than they ever have before.”
Can smaller organizations keep up?
While defenders and attackers are moving faster than ever, however, smaller organizations still may not be able to move at swift speeds.
“Most midsize and small organizations still have a very limited budget and a very limited capability to support any type of real robust security function in the enterprise,” said Mellen.
The Mandiant report pulled data from environments of clients, many of which are Fortune 500 companies, said Stone. Smaller organizations, ones lacking sophisticated detection technology, maybe at a disadvantage.
Michael Arnold, the consultant for the Wisconsin-based ITNS Consulting, works with clients whose size ranges from three employees to 300 employees, and effective network-monitoring tools may be out of reach for these smaller businesses.
“Logging user activity, logging data activity, access activity, identity management, those kinds of things become very difficult for smaller businesses to be able to afford on their own, generally, because there’s a high cost of entry,” Arnold said. “And then, of course, you have to have somebody knowledgeable enough to be looking at those logs.”
Overall, however, Arnold finds reduced dwell times encouraging.
“I do,” said Arnold. “I wish that that was happening more in the small business space.”