Dwell Time

One-liner: The duration an attacker remains undetected in a compromised environment from initial breach to discovery.

🎯 What Is It?

Dwell Time (also called Attacker Dwell Time) is the period between when an attacker first compromises a system and when the breach is detected and responded to. It's a critical security metric that measures how long adversaries can operate freely within your environment.

Lower dwell time = Better security posture

🤔 Why It Matters

• Damage Increases Over Time: Longer dwell time means more data stolen, systems compromised, and backdoors planted
• Key Security Metric: Industry benchmark for detection effectiveness
• Lateral Movement: Extended dwell time allows attackers to move deeper into the network
• Persistence: More time enables sophisticated persistence mechanisms
• Cost: Financial impact grows exponentially with dwell time

Industry Benchmarks

• 2023 Average: ~16 days (down from 24 days in 2020)
• Ransomware: Often 1-5 days
• Nation-State APTs: Can be 200+ days
• Goal: < 24 hours (mature security programs)

🔬 How It Works

Dwell Time Timeline

[Initial Compromise] ────────────────────> [Detection]
        ↑                                      ↑
   T=0 (Breach)                          T=X (Discovery)
        
        <──────── Dwell Time = X ──────────>

During Dwell Time:
├─ Reconnaissance
├─ Credential Harvesting  
├─ Lateral Movement
├─ Privilege Escalation
├─ Data Exfiltration
└─ Persistence Installation

Factors That Increase Dwell Time

1. Poor Visibility: Lack of logging or monitoring coverage
2. Alert Fatigue: Too many false positives, real threats missed
3. Detection Gaps: Adversary TTPs not covered by detection rules
4. Insufficient Staffing: SOC can't keep up with alerts
5. Advanced Adversaries: Sophisticated evasion techniques

Factors That Decrease Dwell Time

1. Threat Hunting: Proactive search for hidden threats
2. Strong Detection Engineering: Comprehensive coverage of MITRE ATT&CK TTPs
3. EDR: Real-time endpoint visibility
4. Cyber Threat Intelligence (CTI): Intelligence-driven detection
5. Mature Incident Response: Fast triage and investigation

🛡️ Detection & Prevention

How to Measure Dwell Time

# Calculate dwell time
dwell_time = detection_timestamp - initial_compromise_timestamp

# Example
Initial Compromise: 2024-01-05 08:00:00
Detection:          2024-01-20 14:30:00
Dwell Time:         15 days, 6 hours, 30 minutes

How to Reduce Dwell Time

1. Implement Proactive Threat Hunting

   • Don't wait for alerts—actively search for threats
   • Use MITRE ATT&CK to guide hunting priorities

2. Improve Detection Coverage

   • Map detection to MITRE ATT&CK framework
   • Focus on high-impact techniques (e.g., Lateral Movement, Credential Dumping)

3. Deploy EDR

   • Real-time endpoint visibility
   • Behavioral analytics to catch novel attacks

4. Leverage Cyber Threat Intelligence (CTI)

   • Hunt for IOCs of relevant threat actors
   • Implement detections for relevant TTPs

5. Reduce Alert Fatigue

   • Tune detection rules to minimize false positives
   • Prioritize high-fidelity alerts

6. Automate Response

   • SOAR for initial triage and containment
   • Faster mean time to respond (MTTR)

📊 Dwell Time by Attack Type

🎤 Interview Angles

Common Questions

• "What is dwell time and why does it matter?"

  • "Dwell time is how long an attacker remains undetected in your environment. It matters because the longer they're in, the more damage they cause—more data stolen, more systems compromised, deeper persistence. Industry average is around 16 days, but mature programs aim for under 24 hours."

• "How would you reduce dwell time in an organization?"

  • "First, implement proactive Threat Hunting—don't wait for alerts. Deploy strong EDR for real-time visibility. Improve detection coverage using MITRE ATT&CK to identify gaps. Leverage threat intelligence to hunt for relevant IOCs and TTPs. Finally, reduce alert fatigue so analysts can focus on real threats."

• "What's the relationship between dwell time and threat hunting?"

  • "Threat Hunting directly reduces dwell time by proactively finding threats before they trigger automated alerts. Hunters use intelligence and behavioral analysis to discover sophisticated adversaries who evade detection. Every threat found through hunting would have continued to dwell undetected otherwise."

STAR Story

Situation: Our organization's average dwell time was 32 days—significantly above industry average. We were detecting incidents only after major damage had occurred.
Task: Reduce dwell time to under 10 days through improved detection and proactive hunting.
Action: Established a weekly Threat Hunting program focused on high-risk TTPs. Mapped our detection coverage against MITRE ATT&CK and created 20 new rules for gaps. Deployed EDR across all endpoints. Integrated threat intelligence feeds to hunt for relevant APT IOCs. Tuned SIEM rules to reduce false positives by 60%.
Result: Reduced average dwell time from 32 days to 8 days within 6 months. Discovered 3 previously undetected breaches during initial hunts, all with 30+ day dwell times. After improvements, no incident exceeded 48-hour dwell time in the following year.

✅ Best Practices

• Track and Report: Make dwell time a key security metric
• Set Realistic Goals: Aim for continuous improvement, not perfection
• Proactive Hunting: Don't rely solely on automated detection
• Intelligence Integration: Use CTI to prioritize threats relevant to your organization
• Comprehensive Logging: Can't detect what you can't see
• Regular Reviews: Analyze incidents to understand why dwell time was high

❌ Common Misconceptions

• "Zero dwell time is possible": Some dwell time is inevitable; focus on minimizing it
• "Only EDR reduces dwell time": It helps, but requires threat hunting, intelligence, and tuned detections
• "Short dwell time = no damage": Even hours can be enough for ransomware deployment
• "Dwell time only matters for APTs": All threat actors benefit from extended dwell time

🔗 Related Concepts

• Threat Hunting
• Detection Engineering
• Incident Response
• Cyber Threat Intelligence (CTI)
• MITRE ATT&CK
• Endpoint detection and response (EDR)
• SIEM
• Mean Time to Detect (MTTD)
• Mean Time to Respond (MTTR)
• Lateral Movement
• Persistence

📚 References

• Mandiant M-Trends Report (Annual Dwell Time Statistics)
• CrowdStrike Global Threat Report
• SANS Institute: Reducing Dwell Time
• FireEye: The Dwell Time Dilemma