Five Tips to Reduce Dwell Time

Dwell time is arguably the most accurate indicator of an enterprise’s security.

Dwell time is arguably the most accurate indicator of an enterprise’s security. It can determine how good you are in finding and eliminating actual breaches. Some indicators are less reliable. For example, the number of breached systems might either indicate your systems are well protected or, it might mean there are gaps in your ability to identify intrusions. On the other hand, dwell time is critical for an attacker to reach its goal, because an attack must go through all the steps of a “Kill Chain”, which requires time. Dwell time typically ranges between 200 to 250 days.[i

Stealth is the number one tool in an attacker’s arsenal – a breached system should look and behave as normal as possible to avoid detection. To keep their activities under the radar, cyber attackers use common protocols and services to communicate with Command and Control centers, to avoid attracting attention of common detection methods. Using covert channels such as DNS exfiltration and posting innocuous looking messages or images to social media to be picked up by the attacker later are becoming increasingly common for avoiding detection.

Attackers have done a great job authoring malware that is very “low signal” in an effort to stay hidden. Enterprises on the other hand end up sorting through all the noise of the various security technologies they have in place to find that signal.  This is basic physics – if you design your detection scheme to be too sensitive to the signal it will get overwhelmed by the noise, giving nothing but endless false-positives that erode the confidence in the scheme itself.  On the flip side, if you design your detection scheme to be too insensitive, you will never find the signal that indicates the compromise.

Below are five basic tips to reduce dwell time.

  1. Enterprises should co-evolve with the attackers and understand that traditional firewalls or signature-based detection methods will do little to protect against the new generation of threats.
  2. As attackers are opting for indirect methods of communication through legitimate services, enterprises should focus their efforts on understanding their “normal” by closely monitoring internal and external traffic on their network. Most enterprises just capture external traffic through web proxies but have no visibility into the internal network.
  3. Once the baseline is established, any deviation from expected behavior should be scrutinized further to look for signs of suspicious activity.
  4. Traditional security best practices such as hardening all systems, performing risk management analysis and prioritizing the patching of critical and vulnerable systems consistently still goes a long way in shortening dwell time.
  5. Enterprises should assume that they will be breached and prepare for it, which means that sufficient resources should be allocated into detection and mitigation as opposed to just focusing on prevention. A recent survey of over 300 enterprises conducted by UBM revealed that:
    • 93% of organizations use anti-virus and anti-malware tools
    • 82% use perimeter firewalls
    • 65% use intrusion preventions systems
    • 52% use unified threat management systems

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Micetro 11.1 boosts DHCP management for Cisco Meraki SD-WAN

Learn how BlueCat Micetro 11.1 can help you overcome the limitations of Cisco Meraki SD-WAN devices to manage your distributed DHCP architecture.

Read more
Banner announcing BlueCat's acquisition of LiveAction, displaying both logos and the phrase "We're about to get bigger."

BlueCat acquires LiveAction to drive network modernization and optimization

BlueCat’s acquisition of LiveAction will allow customers to expand their view beyond DNS and dive deeper into the health of their network.

Read more

Simplify NIS2 compliance with DNS management

Learn whether the EU’s NIS2 requirements apply to your organization and about how DNS management and BlueCat can boost your path to compliance.

Read more

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Unlock the secrets to modernizing your IT network! Join our webinar on January 23 to learn how self-service DNS and DHCP can help you solve the cloud puzzle.