Dwell time, in the context of cybersecurity, is a measurement used to convey the duration that a threat actor enjoys going undetected within a network ecosystem until their termination and full eradication. Evaluation of data from incident response engagements, caused by successful asset compromise due to various attacker campaigns, supports the theory that a reduction in dwell time decreases costs and the negative impact on organizational assets.
Understanding in the abstract the anatomy of response and the phases of response is a critical criterion for dominating the cyber enemy before and during response situations.
The following artifacts anatomically describe cyber battles:
The following model (PICERL) describes the phases of incident response (IR):
Having a comprehensive understanding of those three fundamental concepts (dwell time, anatomy, phases) improves response awareness and capability. Maturation improvements are realized over time by the dissemination and practice of those concepts as well as journaling the experiences through after-action reporting. But there is a particularly important part of the PICERL phase that has the most significant impact on reducing dwell time: Preparation.
Similar to the natural world, those teams and organizations prepared for an encounter with the enemy, or an e-disaster of some type, will stand a better chance of survival than those that don’t, at least anecdotally: common sense befriends that statement. Those organizations that do not prepare or rationalize the lack of preparation as being connected to a view of their assets not being high-value targets, risk destruction, or significant pain – statistically. There is a consistent decline in dwell time of more than eighty percent since 2018 in customers that endorse preparedness. That mark is consistent with industry data as a whole, which in some studies is as high as ninety percent. Larger enterprises do a better job overall than smaller businesses, but the smaller companies that are fully engaged move faster and offer less resistance to OFI recommendations.
Moving from phase to phase throughout IR becomes lethargic for those that fail to embrace preparation. For example, containment is the most critical phase of IR during a cyber battle. Ignorance of a model within the containment phase is the second-largest contributing factor to increased dwell times. Once people get past and to the right of “BOOM” (a.k.a “the pucker moment”), and their executive functions gain control over the hijacking by their amygdala, they instinctively know that stopping the threat is priority one. However, the mechanics of the arrest are often dysfunctional for the ill-prepared creating delays in termination. Preparing for and using a containment model within the phases of PICERL, reduces overall response time consistently by several days, and sometimes weeks. The decrease in response time, and possibly the numbers and types of response personnel, has a positive impact on response costs; that is, of course, if controlling those costs is essential to the victim.
In summary, data from IR activities reveals that preparation reduces dwell time by reducing response time and the required response resources. Reducing dwell time will improve the probability of domination over cyber aggressors, maintain business continuity, and avoid costly IR scenarios. Get prepared and get in the cyber fight!