Shrinking cyber attack “dwell times” highlight growing war of attrition with threat actors

The arms race between security teams and threat actors is escalating as “dwell times” shorten, according to new research from Sophos. 

Dwell times, which mark the time from when an attack starts to when it is detected, dropped from an average of 10 days to just eight for all attacks, the analysis shows. 

This dip underlines the changing nature of attacks, Sophos said, with organizations becoming increasingly efficient at detecting and responding to incidents in rapid time. 

“As adoption of technologies like XDR (extended detection and response) and services such as MDR (managed detection and response) grows, so does our ability to detect attacks sooner,” said John Shier, field CTO at Sophos. 

“Lowering detection times leads to a faster response, which translates to a shorter operating window for attackers.”

While this may appear to be positive news for organizations, the reality is that rapid reaction times mean threat actors are accelerating attacks and adopting new techniques. 

Shier suggested that many organizations have become “victims of their own success” with regard to security practices, prompting a more aggressive approach from attackers and placing significant strain on security practitioners. 

“Criminals have been honing their playbooks, especially the experienced and well-resourced ransomware affiliates, who continue to speed up their noisy attacks in the face of improved defenses.”

For ransomware attacks, the most prevalent form of attack analyzed, dwell time dropped significantly from 10 days to five, Sophos found. 

Similarly, in more than three quarters (81%) of ransomware attacks, Sophos said the final payload was launched outside of conventional working hours. Of those that were deployed during traditional operating hours, only five occurred on a weekday. 

“The number of attacks detected increased as the week progressed, most notably when examining ransomware attacks. Nearly half (43%) of ransomware attacks were detected on either Friday or Saturday,” the firm said. 

With security teams acting swiftly to respond to threats in record times, malicious actors have become increasingly conscious of operating hours and are purposefully targeting firms at the most inconvenient times possible. 

Long-term, this means that organizations aren’t necessarily more secure, Shier said. 

“This is evidenced by the leveling off of non-ransomware dwell times. Attackers are still getting into our networks, and when time isn't pressing, they tend to linger. But all the tools in the world won't save you if you're not watching.”

Growing Active Directory risks

Among the most concerning finds from the Sophos report was a decrease in the time it takes for attackers to reach Active Directories (AD); on average, it took them just 16 hours.

Active directories are among the most critical assets for any organization, being used to manage identity and access to company resources. Gaining access to a directory would enable attackers to “easily escalate” system privileges and conduct malicious activity, Sophos said. 

The decreased dwell time in this regard should be a serious cause for concern for security teams, Shier warned. 

"Attacking an organization's Active Directory infrastructure makes sense from an offensive view. AD is usually the most powerful and privileged system in the network, providing broad access to the systems, applications, resources, and data that attackers can exploit in their attacks,” he said.

“Getting to and gaining control of the Active Directory server in the attack chain provides adversaries several advantages. They can linger undetected to determine their next move, and, once they’re ready to go, they can blast through a victim's network unimpeded.”