Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

Attacker Dwell Time: Ransomware's Most Important Metric

How to bolster security defenses by zeroing in on the length of time an interloper remains undetected inside your network.

Ransomware remains one of the most pervasive and insidious security threats to enterprise organizations. In 2020 alone, dozens of brands, from Garmin to Jack Daniels, have been forced to disclose that their networks were breached and their data encrypted by a motley crew of global criminal organizations. 

While much of the attention around ransomware attacks has focused on the methods by which threat actors worm their way inside the network, one critical aspect of these attacks is often overlooked: attacker dwell time, which represents the length of time an interloper remains undetected inside the network.

Related Content:

Deadly Ransomware Story Continues to Unfold

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: A Hacker's Playlist

For the better part of the last decade, the majority of ransomware attacks were of the smash-and-grab variety in which the successfully deployed malicious file would encrypt as many files and machines as quickly possible before revealing itself in the form of a lock screen. More recently, ransomware operators are sticking around, lurking in the network shadows to conduct reconnaissance and patiently lying in wait in order to identify higher-value assets to compromise.

While the average attack dwell time for ransomware is relatively brief compared to other malware strains — 43 days on average for ransomware versus months or even years for more persistent threats — each passing day that it remains undetected presents an attacker with new opportunities to unleash their wrath and line their pocketbooks.

A New Generation of Emboldened Attackers
Over the past decade, ransomware has become the preferred malware vehicle for hackers and criminal organizations alike. Not only are there tens of thousands of variants that security teams need to defend against, but the threat actors themselves are no longer following the same playbook. 

The group behind the Sodinokibi strain of ransomware is but one example of an operator that has succeeded in finding creative ways to maximize their returns by stealing data before crypto-locking a target's systems and then threatening to leak or auction stolen data unless their victims pay up.

Other criminal groups such as REvil have essentially democratized ransomware by making it dead simple for wannabe hackers and script kiddies to perpetrate their own attacks by offering affordable and easy-to-use malware-as-a-service subscription. These models also enable the operators to further monetize their efforts by employing affiliate models in which they receive a percentage of any ransoms paid — and offload their risk since they are not themselves spearheading the attack.

Ransomware operators are also feeling emboldened by the massive number of people now working remotely due to the pandemic, exploiting known security vulnerabilities in remote-desktop protocols, and preying on the poor security practices of a workforce that is unfamiliar with proper remote security protocols.

Why Attacker Dwell Time Is a Critical Metric
As ransomware operators shift their objectives to a quality over quantity approach, so must the focus of security teams evolve from a mindset of keeping threat actors out at all costs to assuming they're already inside. 

When attackers are able to remain undetected inside a network they may spend weeks or months exploring it in depth, trying to escalate privileges and leverage those permissions to push ransomware onto as many endpoint devices as possible. They can also use this time to identify critical network resources, such as system backups, network segments storing sensitive data, and other key systems that can be used to disseminate their ransomware widely. 

3 Ways to Reduce Attacker Dwell Time
While an ounce of prevention is certainly worth a pound of cure, security teams must re-think the existing security paradigm of trying to keep attackers out of key networking assets and rather assume that they are already inside. The goal of course is to keep bad actors out but as Mike Tyson elegantly put it, "Everyone's got a plan until they get hit in the face." 

So while it may not be possible to always keep intruders out entirely, you can take some immediate steps to limit its impact by embracing some of the following initiatives:

  • Intentionally Measure Compromise: Regular penetration testing and threat hunting are the hallmarks of a mature security practice, yet they are also out of reach for many. Adopting a framework of continuous compromise assessment enables security teams to integrate the various network and event management feeds that an enterprise already collects so they can measure their compromise level at a more granular level.
  • Correlate Network Intelligence: Attackers use the network as their port of entry and also must use it to move laterally, communicate with their command servers, and eventually exfiltrate data. All of this movement throws off scraps of metadata, whether from trying to resolve a DNS query or scanning the firewall for open ports. By correlating these small bits of data into a unified view, network defenders can make a clear determination as to whether their network is communicating with an adversary's infrastructure. 
  • Enforce a Zero Trust Framework: Zero trust is among the hottest topics in network security as it seeks to replace the conventional trust-but-verify model with a software-defined layer that can more easily enforce least-privilege access and micro-segmentation across the network. From the perspective of a ransomware attack, this will make it much more difficult for an attacker to hop across the network and escalate privileges. 

Ransomware operators will no doubt continue to find novel ways to breach the network and plant their executables. The real challenge won't be halting them outside the gate but rather to illuminate the many blind spots in the network so we can prevent minor incidents from becoming full-blown data breaches.

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/1/2020 | 10:34:41 AM
Detailed Input on Attackers
Nice emphasis and importance on attacker dwell time
User Rank: Apprentice
9/30/2020 | 4:34:28 PM
Amazing blog
Insightful information about ransomware and how to detect it faster. 
User Rank: Apprentice
9/30/2020 | 4:05:18 PM
Interesting perspective
Good read and perspective on ransomware's direct correlation with dwell time. 
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...