Incident Response: Dwell Time

Correlation Between Preparation, Dwell Time, and Cost

Dwell Time Defined

Dwell time, in the context of cybersecurity, is a measurement used to convey the duration that a threat actor enjoys going undetected within a network ecosystem until their termination and full eradication. Evaluation of data from incident response engagements, caused by successful asset compromise due to various attacker campaigns, supports the theory that a reduction in dwell time decreases costs and the negative impact on organizational assets.

Anatomy & Phases Of Incident Response

Understanding in the abstract the anatomy of response and the phases of response is a critical criterion for dominating the cyber enemy before and during response situations.

The following artifacts anatomically describe cyber battles:

  1. Indicators of Compromise (IOC)
    1. Evidential characteristics of the attack (nouns of the attack)
  2. Cyber Kill Chain (CKC)
    1. Tactics, techniques, and procedures (TTP) employed by attackers (attacker verbs)
  3. Courses of Action (COA) 
    1. TTP used by responders (response team verbs)

The following model (PICERL) describes the phases of incident response (IR):

  1. Preparation
    1. Roles, training, severity rating definitions, technology controls (cyber weapons), TTP and rules of engagement, evidence collection, and preservation, after-action report and situation report (sitrep) templates, coordination, sharing and notifications (comms), insurance, legal, and regulation
  2. Identification
    1. Severity rating assessment, IOC analysis, CKC evaluation, COA strategies, force type, force concentration, resource requirements, and comms planning
  3. Containment
    1. Inventory + 6-Ds: inventory (e-battlefield enumeration), detect, deny, degrade, deceive, disrupt, destroy
  4. Eradication
    1. Aggressor termination and TTP elimination
  5. Recovery
    1. Reaching the recovery point objective 
  6. Lessons / Opportunities For Improvement (OFI)
    1. Enhancements resiliency, response, and risk reduction strategies

Reducing Dwell Time Through Better Preparation

Having a comprehensive understanding of those three fundamental concepts (dwell time, anatomy, phases) improves response awareness and capability. Maturation improvements are realized over time by the dissemination and practice of those concepts as well as journaling the experiences through after-action reporting. But there is a particularly important part of the PICERL phase that has the most significant impact on reducing dwell time: Preparation.

Similar to the natural world, those teams and organizations prepared for an encounter with the enemy, or an e-disaster of some type, will stand a better chance of survival than those that don’t, at least anecdotally: common sense befriends that statement. Those organizations that do not prepare or rationalize the lack of preparation as being connected to a view of their assets not being high-value targets, risk destruction, or significant pain – statistically. There is a consistent decline in dwell time of more than eighty percent since 2018 in customers that endorse preparedness. That mark is consistent with industry data as a whole, which in some studies is as high as ninety percent. Larger enterprises do a better job overall than smaller businesses, but the smaller companies that are fully engaged move faster and offer less resistance to OFI recommendations.

Controlling Costs By Reducing Response Times

Moving from phase to phase throughout IR becomes lethargic for those that fail to embrace preparation. For example, containment is the most critical phase of IR during a cyber battle. Ignorance of a model within the containment phase is the second-largest contributing factor to increased dwell times. Once people get past and to the right of “BOOM” (a.k.a “the pucker moment”), and their executive functions gain control over the hijacking by their amygdala, they instinctively know that stopping the threat is priority one. However, the mechanics of the arrest are often dysfunctional for the ill-prepared creating delays in termination. Preparing for and using a containment model within the phases of PICERL, reduces overall response time consistently by several days, and sometimes weeks. The decrease in response time, and possibly the numbers and types of response personnel, has a positive impact on response costs; that is, of course, if controlling those costs is essential to the victim.


In summary, data from IR activities reveals that preparation reduces dwell time by reducing response time and the required response resources. Reducing dwell time will improve the probability of domination over cyber aggressors, maintain business continuity, and avoid costly IR scenarios. Get prepared and get in the cyber fight!

Contact Us

If you need help with improving your cybersecurity, including incident response, contact us at


Comments are closed.