Dwell times are an interesting cyber security measure.
So what is a Dwell time?
There are numerous ways in which security companies and MSSP’s define Dwell time. For Secure-ISS we have settled on a measurement as to how long a threat (or threat actor) remains inside an environment (from initial intrusion) to the point whereby the breach is detected (by either an internal or external party) and eradicated from the environment.
According to research from Mandiant (M-TRENDS 2019), the (Global) Median dwell time has decreased significantly across the past eight years from 416 days to 78 days in 2018.

When we look at these figures on a regional basis (APAC), we can see that the Dwell time is a little larger at 204 days.

It makes sense that a shorter dwell time, reduces the risks and impacts to the organisation associated with a breach. However, there are several factors that impact dwell time.
What impacts Dwell time?
Dwell times are impacted by several factors including:
- Critical Controls in place through-out the organisation
- Prevention mechanisms capabilities in place
- Detection mechanisms and capabilities in place;
- The type of attack;
- The sophistication of the attackers;
- The motivation and target of the attack;
Anecdotally a reduced (median) Dwell time number could be attributable to the type of attacks, in that they are more visible to end users and detected by organisations in a quicker fashion (ransomware and/ or business email compromise anyone?).
However, in general a shorter dwell time should in turn mean that we are addressing the incident earlier in the Cyber Kill Chain.
Secure-ISS assist customers reduce dwell time through a number of preventative and detection services. If you would like to know more about our Managed Security Services, please don’t hesitate to get in touch.