Dwelling on Dwell Time
Over the past year, “Dwell Time” has become part of the American lexicon. The term, when used in the scope of infectious disease, is the measurement of time a disinfectant needs to remain wet on a surface to properly disinfect. The quicker a disinfectant solution kills pathogens and sanitizes a surface the better it works. The Covid-19 pandemic has made most of us experts in disinfectants.
The concept of dwell time is also important in the field of information and computer network security. Dwell time is the length of time a threat actor is active, while undetected, within a network. It is the measurement of time from breach to detection. Obviously, the longer the adversary lives in the environment the more time they have to steal data and damage systems. The ultimate goal of every security team is to reduce adversary dwell time to the least amount of time possible. A dwell time of ZERO is the ideal.
Security software and threat prevention company Sophos released a report titled “The Active Adversary Playbook 2021”. The report is well written and has garnered some attention within cybersecurity media and practitioners. One of the more prominent and celebrated points made by the report is a median adversary dwell time of eleven (11) days. I immediately winced when I read this claim. I'm not an expert by any means, but that number seemed way off. Particularly since Fireeye estimated the average dwell time to be 56 days in their 2020 M-Trends report. Did the security industry get that much better in just a year?
I really enjoy listening to John Strand from Black Hills Infosec talk about security. Well, I'd probably listen to him talk about anything really. He is incredibly insightful and breaks down complex security and threat intelligence topics into something easily digestible for the rest of us. On my reading/watch list (yes, I keep a list) was a Black Hills Infosec webcast published to Youtube on May 11th, 2021, titled “Emergency Webcast: OK Let's talk about ransomware – With John Stand”. Skip to 29:00 to miss the small talk.
In this webcast, John speaks about a recent conversation he had with cloud security expert and SANS instructor Chris Brenton. (Skip to 1:02:34 ). Brenton observed that dwell time cannot be accurately determined in ransomware cases because the attackers inevitably announce they are in the network. You didn't detect them at all. They jumped out of the closet banging a drum and screaming “we're here, pay us”. And then cousin Larry jumps out, “Oh, and BTW, we also stole all your data, pay us some more!”. It's not a detection when the burglar walks through the front door while you were watching the back and then taps you on the shoulder.
If they wouldn't have announced themselves in such a visible and violent way, how long would have it been until you found them? I'm guessing about 56 days.
The Sophos report admits that 81% of the cases they studied were Ransomware. I suspect they found the median number of days ransomware threat actors wait to announce their presence, not the time the security teams took to detect adversaries in their networks.
Sophos acknowledges that ransomware attacks have shorter dwell times and the release of the ransomware variant is often when the attack becomes visible to the security team. I'm not questioning their collected data or research methods but an adversary dwell time of 11 days should not be applied to the threat detection field as a whole.