Why ‘Attacker Dwell Time’ Is the Only Security Metric That Really Matters

Posted on by Ricardo Villadiego

Imagine finding out one day that there was someone secretly living in the basement of your house and that while you were at work, they spent the day casually snooping around? That’s a frightening thought, right? Now imagine that this violation persisted day in and day out for months or even years. Now that’s truly terrifying.

Yet this is the sobering reality that’s taking place every day within the supposedly secure confines of global enterprise networks. In its 2020 Cost of a Data Breach report, IBM estimates that it takes an average of 280 days to identify and contain a breach. And with each passing day that an attacker remains unnoticed and undisturbed, they are afforded the luxury of time to observe, learn and isolate the weak points in their victim’s infrastructure.

While much of the attention around high-profile attacks has focused on the methods by which threat actors worm their way inside the network, one critical aspect of these attacks is too often overlooked: attacker dwell time, which represents the length of time an uninvited interloper remains undetected inside the network. Unfortunately, surprisingly few security teams are properly equipped to think about or measure the effectiveness of their security posture in this manner.

Why Attacker Dwell Time Is a Foundational Metric

For the better part of the last decade, the majority of attacks such as ransomware were of the smash-and-grab variety in which the attacker’s objective would simply be to encrypt as many machines as quickly as possible before revealing itself in the form of a lock screen. More recently, however, malware operators are increasingly playing the long game, lurking in the network shadows to conduct reconnaissance and patiently lying in wait in order to identify higher-value assets to compromise.

When attackers are able to remain undetected inside a network, they may spend weeks or months exploring it in-depth, working to escalate privileges and leverage those permissions to push their malicious wares onto as many systems and endpoint devices as possible. They also use this time to identify critical network resources, such as system backups, network segments storing sensitive data and other key systems that can be exploited to broadly disseminate their malicious wares.

As threat actors shift their objectives to a quality-over-quantity approach, so much of the focus of security teams must evolve from a mindset of keeping threat actors out at all costs to one that assumes they’re already inside.

Three Ways to Reduce Attacker Dwell Time

While an ounce of prevention is certainly worth a pound of cure, security teams must rethink the existing security paradigm of trying to keep attackers out of key networking assets; rather, they should assume that the actors are already inside and then focus their efforts on proving that they are not. The goal, of course, is to keep bad actors out, but as Mike Tyson once famously said, “Everyone’s got a plan until they get hit in the face.”

While it may not be possible to always keep intruders out, you can take some immediate steps to limit their impact by adopting some of the following strategies:

  1. Intentionally Measure Compromise: Regular penetration testing and vulnerability assessments are hallmarks of a mature security practice, yet history has evidenced their inability to protect against or prevent breaches before it is too late. Adopting a framework that allows them to measure compromise continuously and one that security teams can integrate into their existing network and event management feeds would allow them to measure their compromise level at a more granular and actionable level.
  2. Correlate Network Intelligence: Attackers use the network as their port of entry and must use it to move laterally, communicate with their command-and-control servers and eventually exfiltrate data. All of this movement throws off scraps of metadata, whether from trying to resolve a DNS query or scanning the firewall for open ports. By correlating these small bits of data into a unified view, network defenders can make a clear determination as to whether their network is communicating with an adversary’s infrastructure. And there is a universal truth in cybersecurity: nothing good comes from your network contacting adversarial infrastructure.
  3. Enforce a Zero-Trust Framework: Zero Trust is among the hottest topics in network security as it seeks to replace the conventional trust-but-verify model with a software-defined layer that can more easily enforce least-privilege access and micro-segmentation across the network. From the perspective of a malware or ransomware attack, this will make it much more difficult for an attacker to hop across the network and escalate privileges. 


Bad actors will no doubt continue to find novel ways to breach the network and plant their executables. The real challenge won’t be halting them outside the gate but rather illuminating the many blind spots in the network so we can prevent minor incidents from cascading into full-blown data breaches.

Ricardo Villadiego

Founder and CEO, Lumu

Analytics Intelligence & Response

threat intelligence zero trust

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs