Attack dwell times shrink, but new threats on the rise: Report

While cyber security teams are becoming more proficient at detecting threats, attackers are also augmenting their strategies, shows a new report published on Thursday. The report based on a new research from cyber security firm Sophos said that “dwell times”, which marks the time from when an attack begins to when it is detected, dropped from an average of 10 days to just eight for all attacks. At the same time, newer and more sophisticated cyber threats continue to evolve, it said.

This reduction of dwell time underlines the changing nature of attacks, Sophos said, with organisations becoming increasingly efficient at detecting and responding to incidents in rapid time.

While the drop in dwell time is welcome news for organisations, the reality is that rapid reaction times mean threat actors are accelerating attacks and adopting new techniques. As John Shier, field CTO at Sophos believes, “In some ways we’ve been victims of our own success.”  

As adoption of technologies like extended detection and response (XDR) and services such as managed detection and response (MDR) grows, so does our ability to detect attacks sooner.  

Lowering detection times leads to a faster response, which translates to a shorter operating window for attackers, explained Shier, stating that this “does not however make enterprise more secure that because experience attackers are still getting into our networks, and when time isn't pressing, they tend to linger”.  

Notably, in eight out of 10 ransomware attacks, the final payload was launched outside of traditional working hours, and for those that were deployed during business hours, only five happened on a weekday. Nearly half (43%) of ransomware attacks were detected on either Friday or Saturday. 

"The number of attacks detected increased as the week progressed, most notably when examining ransomware attacks. Nearly half (43%) of ransomware attacks were detected on either Friday or Saturday,” the report noted.

With security teams acting swiftly to respond to threats in record times, malicious actors have become increasingly conscious of operating hours and are purposefully targeting firms at the most inconvenient times possible.

Among the most concerning finds from the Sophos report was a decrease in the time it takes for attackers to reach Active Directories (AD); on average, it took them just 16 hours.

Active directories are among the most critical assets for any organisation, being used to manage identity and access to company resources. Gaining access to a directory would enable attackers to “easily escalate” system privileges and conduct malicious activity, Sophos said.  

In this regard Shier warned that the decreased dwell time in this regard should be a serious cause for concern for security teams. “Getting to and gaining control of the Active Directory server in the attack chain provides adversaries several advantages.

They can linger undetected to determine their next move, and, once they’re ready to go, they can blast through a victim's network unimpeded,” he said. 

To be sure, according to cyber security firm Mandiant’s M-Trends 2023 report, published in June, also showed that global median dwell time continued to drop year-over-year — down to 16 days in 2022. The report calls it the shortest median global dwell time ever for M-Trends reporting periods. 

The report too stated that there is a growing recognition of the role partnerships and information exchange play in building a resilient cybersecurity ecosystem. But it’s also true that the external notifier might be the threat gang making a ransom demand. 

Moreover the report showed, most (if not all) security teams are overworked and understaffed. It’s harder than ever to keep up with the ever-expanding threat landscape. For example, a third of cyber team leaders report a higher number of absences due to burnout in the months after an attack. Unsurprisingly the stress affects employees, with 54% reporting a negative impact on mental health. And 56% say that their role becomes more stressful each year. 

For these reasons, some security teams have pivoted to modernised threat detection and response solutions to help reduce dwell time, it said. 

Hence, despite a drop in dwell time, both the report shows the threat landscape continues to evolve. It’s imperative that security professionals deploy the right security tools, proactively monitor and continue to collaborate with the wider security community in such a situation, researchers said.