The Defense Window is Closing: Why Declining Dwell Times Is Concerning

While ransomware still dominates the threat landscape, recent Sophos research finds attacker dwell time decreased in 2022, from 15 to 10 days, for all attack types. For ransomware cases, the dwell time decreased from 11 to 9 days, while the decrease was even greater for non-ransomware attacks. The dwell time for the latter declined from 34 days in 2021 to just 11 days in 2022.

Clearly, less time to dwell means attackers are finding ways to execute on their exploits sooner – and the race between attackers and defenders has heated up. However, according to John Shier, field CTO, commercial at Sophos, the dwell time decrease also signals a positive trend. It possibly points to improvement in the detection of active attacks – a real improvement for defenders and their capabilities. Sophos has also observed that many attacks that have taken place have been less severe thanks to tools and services.

“I think more organizations today are deploying tools that allow them to detect and remediate or respond to events within the network. Technology like EDR (Endpoint Detection and Response) XDR (Extended Detection and Response) and MDR (Managed Detection and Response), for example. For business leaders, it shows that these tools are working. Having these tools in your network, and having these services working for you, is going to lessen the severity of attacks.”

Suspicious signals now require immediate attention

Still, decreased dwell times on networks pose significant challenges for defenders and organizations. Criminals are becoming increasingly aware of the tools and measures employed by network defenders, like EDR. In response, they are using EDR killer tools to disable or evade detection, said Shier. This results in a race against time for defenders, as the faster criminals move, the less time there is to detect and respond to their activities.

Ransomware groups are particularly stealthy now, he said, but all types of attacks are happening at a faster rate. That’s why prevention is as critical as ever – and early detection is essential.

“You can’t ignore suspicious signals anymore,” said Shier. “There was a time a while back when you could maybe go: ‘OK, well, that looks suspicious. But I have other things to do. I’ll get to it later.’ Those days are gone.”

Shier said unfortunately many teams are still forced to delay action because they either lack the technical understanding of what is happening, or they don’t have the tools or capabilities to properly address suspicious signals in a timely manner. Tools like EDR and XDR can buy valuable time to investigate and catch criminals in the act.

“A proactive approach is more effective than discovering an attack after systems are already compromised.”

If your organization is lacking the technology and skills set to proactively address suspicious signals, external assistance becomes essential to handle the challenge and bolster security posture.

“You need to critically assess, honestly, what your capabilities are and let go of your ego. It’s not that you don’t know how to threat hunt. It may be that just don’t have the time and budget to learn. But it needs to be done.”

Working with an external provider means security teams can stay focused on mission critical tasks, while also ensuring a managed service provider is keeping an eye out for suspicious activity to thwart attacks in the early stages. Learn how Sophos can provide you with managed security to assist your organization with detection and response by visiting Sophos.com.


Go to Source