"Attacker Dwell Times Down, But No Consistent Correlation to Breach Impact: Mandiant"
Security researchers at Mandiant have found that the median intruder dwell time is down again, from 24 days in 2020 to 21 days in 2021. The bad news is the figure gives little indication of the true nature of successful intruder activity across the whole security ecosphere. Dwell time is the length of time between assumed initial intrusion and detection of an intrusion. The researchers stated that the usual assumption is that the shorter the dwell time, the less damage can be done, however, this is not a valid assumption across all intrusions. The researchers found that the median dwell time figure has consistently declined over the last few years: from 205 days in 2014 through 78 (2018), 56 (2019), 24 (2020) to 21 (2021). The problem is that the dwell time has no consistent correlation to the breach effect. The researchers stated that there had been an equally rapid rise in successful ransomware attacks during the same period of rapid decline of dwell time over the last few years. The median dwell time for a ransomware attack in the Americas and EMEA is just four days, inevitably dragging down the overall median figure. At the same time, individual lengthy dwell times have not been eliminated. Eight percent of Mandiant’s investigations revealed dwell times of more than a year and a half, while half of these had dwell times of more than 700 days. Almost a quarter (20%) of the investigations revealed dwell times between 90 and 300 days. The researchers believe that the extent of the decline in the median dwell time figure may have less to do with improving defensive postures and instead might be due to the increase of successful criminal ransomware attacks.