Five Tips to Reduce Dwell Time
Dwell time is arguably the most accurate indicator of an enterprise’s security.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article discusses dwell time as the most accurate indicator of an enterprise’s security posture, explaining that long dwell times (commonly 200–250 days) enable attackers to complete multi-step kill chains while staying stealthy. It highlights how attackers leverage legitimate protocols and covert channels (for example DNS exfiltration and social media) to blend into normal traffic, and argues that traditional prevention-only controls and signature-based detection are insufficient against low-signal threats. The recommended outcomes are for organizations to establish internal and external traffic baselines, prioritize hardening and patching, assume breaches will occur, and allocate resources to detection and mitigation to shorten dwell time and reduce operational impact.
Why is dwell time considered a better security indicator than the number of breached systems?
Dwell time reflects how quickly an organization detects and eliminates an intrusion, directly measuring incident response effectiveness; a shorter dwell time indicates strong detection and containment capabilities. In contrast, the raw count of breached systems is ambiguous: a high number could mean robust detection uncovered many incidents, or it could mean poor detection allowed many compromises to occur unnoticed. Because attackers require time to progress through the kill chain, minimizing dwell time limits their ability to achieve objectives, making it a more actionable metric for operational security improvements.
What attacker techniques make detection difficult and how should enterprises adapt?
Attackers favor stealth: using common protocols and legitimate services (for example DNS for exfiltration or posting benign-looking content to social media) to communicate with command-and-control and avoid signature-based detection. They also craft low-signal malware to blend into normal operations. Enterprises should co-evolve by shifting focus from solely perimeter prevention to understanding their normal traffic patterns—monitoring both internal and external network flows—so deviations can be investigated. Traditional best practices like system hardening, risk-based patch prioritization, and assuming eventual breach should be combined with enhanced detection and mitigation efforts.
What practical steps can organizations take to shorten dwell time according to the article?
The article recommends five pragmatic approaches: 1) Monitor and establish baselines for both internal and external network traffic so anomalies stand out; 2) Move beyond perimeter-only visibility (many enterprises only capture external proxy traffic) to gain internal network visibility; 3) Harden systems, perform risk analyses, and consistently prioritize patching of critical vulnerabilities; 4) Assume breaches will occur and allocate resources to detection and mitigation rather than only prevention; and 5) Recognize limitations of signature-based tools and complement them with behavioral monitoring to reduce false positives and find low-signal malicious activity.
Dwell time is arguably the most accurate indicator of an enterprise’s security. It can determine how good you are in finding and eliminating actual breaches. Some indicators are less reliable. For example, the number of breached systems might either indicate your systems are well protected or, it might mean there are gaps in your ability to identify intrusions. On the other hand, dwell time is critical for an attacker to reach its goal, because an attack must go through all the steps of a “Kill Chain”, which requires time. Dwell time typically ranges between 200 to 250 days.[i
Stealth is the number one tool in an attacker’s arsenal – a breached system should look and behave as normal as possible to avoid detection. To keep their activities under the radar, cyber attackers use common protocols and services to communicate with Command and Control centers, to avoid attracting attention of common detection methods. Using covert channels such as DNS exfiltration and posting innocuous looking messages or images to social media to be picked up by the attacker later are becoming increasingly common for avoiding detection.
Attackers have done a great job authoring malware that is very “low signal” in an effort to stay hidden. Enterprises on the other hand end up sorting through all the noise of the various security technologies they have in place to find that signal. This is basic physics – if you design your detection scheme to be too sensitive to the signal it will get overwhelmed by the noise, giving nothing but endless false-positives that erode the confidence in the scheme itself. On the flip side, if you design your detection scheme to be too insensitive, you will never find the signal that indicates the compromise.
Below are five basic tips to reduce dwell time.
- Enterprises should co-evolve with the attackers and understand that traditional firewalls or signature-based detection methods will do little to protect against the new generation of threats.
- As attackers are opting for indirect methods of communication through legitimate services, enterprises should focus their efforts on understanding their “normal” by closely monitoring internal and external traffic on their network. Most enterprises just capture external traffic through web proxies but have no visibility into the internal network.
- Once the baseline is established, any deviation from expected behavior should be scrutinized further to look for signs of suspicious activity.
- Traditional security best practices such as hardening all systems, performing risk management analysis and prioritizing the patching of critical and vulnerable systems consistently still goes a long way in shortening dwell time.
- Enterprises should assume that they will be breached and prepare for it, which means that sufficient resources should be allocated into detection and mitigation as opposed to just focusing on prevention. A recent survey of over 300 enterprises conducted by UBM revealed that:
- 93% of organizations use anti-virus and anti-malware tools
- 82% use perimeter firewalls
- 65% use intrusion preventions systems
- 52% use unified threat management systems
Published in:
BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.