Five Tips to Reduce Dwell Time

Dwell time is arguably the most accurate indicator of an enterprise’s security.


August 8, 2016

Dwell time is arguably the most accurate indicator of an enterprise’s security. It can determine how good you are in finding and eliminating actual breaches. Some indicators are less reliable. For example, the number of breached systems might either indicate your systems are well protected or, it might mean there are gaps in your ability to identify intrusions. On the other hand, dwell time is critical for an attacker to reach its goal, because an attack must go through all the steps of a “Kill Chain”, which requires time. Dwell time typically ranges between 200 to 250 days.[i

Stealth is the number one tool in an attacker’s arsenal – a breached system should look and behave as normal as possible to avoid detection. To keep their activities under the radar, cyber attackers use common protocols and services to communicate with Command and Control centers, to avoid attracting attention of common detection methods. Using covert channels such as DNS exfiltration and posting innocuous looking messages or images to social media to be picked up by the attacker later are becoming increasingly common for avoiding detection.

Attackers have done a great job authoring malware that is very “low signal” in an effort to stay hidden. Enterprises on the other hand end up sorting through all the noise of the various security technologies they have in place to find that signal.  This is basic physics – if you design your detection scheme to be too sensitive to the signal it will get overwhelmed by the noise, giving nothing but endless false-positives that erode the confidence in the scheme itself.  On the flip side, if you design your detection scheme to be too insensitive, you will never find the signal that indicates the compromise.

Below are five basic tips to reduce dwell time.

  1. Enterprises should co-evolve with the attackers and understand that traditional firewalls or signature-based detection methods will do little to protect against the new generation of threats.
  2. As attackers are opting for indirect methods of communication through legitimate services, enterprises should focus their efforts on understanding their “normal” by closely monitoring internal and external traffic on their network. Most enterprises just capture external traffic through web proxies but have no visibility into the internal network.
  3. Once the baseline is established, any deviation from expected behavior should be scrutinized further to look for signs of suspicious activity.
  4. Traditional security best practices such as hardening all systems, performing risk management analysis and prioritizing the patching of critical and vulnerable systems consistently still goes a long way in shortening dwell time.
  5. Enterprises should assume that they will be breached and prepare for it, which means that sufficient resources should be allocated into detection and mitigation as opposed to just focusing on prevention. A recent survey of over 300 enterprises conducted by UBM revealed that:
    • 93% of organizations use anti-virus and anti-malware tools
    • 82% use perimeter firewalls
    • 65% use intrusion preventions systems
    • 52% use unified threat management systems

Published in:

An avatar of the author

BlueCat is the Adaptive DNS company. The company’s mission is to help organizations deliver reliable and secure network access from any location and any network environment. To do this, BlueCat re-imagined DNS. The result – Adaptive DNS – is a dynamic, open, secure, scalable, and automated DDI management platform that supports the most challenging digital transformation initiatives, like adoption of hybrid cloud and rapid application development.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more