In its first half of 2023 analysis, the Sophos X-Ops Incident Response Team found good and bad) news regarding active adversary dwell time. In a nutshell, dwell times -- defined as when an attack starts and when it is detected – has declined.
This dwell time decline was especially pronounced for ransomware attacks, where the median dwell time for the first half of 2023 declined from 9 days in 2022 to 5 days. Median dwell time for all incidents during that time frame also fell to 8 days from 10 days.
One countertrend metric, however, was that dwell times increased from 11 to 13 days when looking outside of ransomware incidents.
The good news? Dwell times are decreasing mainly because organizations have better eyes on the situation. According to John Shier, field CTO at Sophos, as the adoption of technologies like extended detection and response and services such as managed detection and response grows, so does the ability to detect attacks sooner. "Decreasing detection times leads to a faster response, translating to a shorter operating window for attackers. At the same time, criminals have been honing their playbooks, especially the experienced and well-resourced ransomware affiliates, who continue to speed up their noisy attacks in the face of improved defenses," says Shier.
Indeed, enterprises detecting specific attacks earlier is excellent news, and the fact that attackers are adjusting their tactics is to be expected. Adjusting tactics is what criminals have done throughout history. However, recent indications also show organizations are more willing to pay ransoms, which increases the motivation for these attacks.
And, as Shier pointed out, shorter ransomware detection times don't mean everyone is more secure. "Attackers are still getting into our networks, and when time isn't pressing, they tend to linger. But all the tools in the world won't save you if you're not watching. It takes the right tools and continuous, proactive monitoring to ensure that criminals have a worse day than you do. This is where managed detection and response can close the gap between attackers and defenders because even when you're not watching, we are," says Shier.
Such capabilities can also come from intrusion detection/prevention systems, endpoint detection and response, as well as security information and event management/security orchestration automation and response systems.
However, technology is only the first step. Security teams need the right people to do something with alerts that will likely be generated through visibility.
Proper triaging of the alert and quick reaction when confirmed to be a threat are critical to expelling an attacker before moving laterally on the network.
