[Approx. 6 minutes reading time]
The average amount of time a cybercriminal is lurking inside a company's network before they strike their final blow is 287 days.
287 Days!!!
That's more than 9 months.
How is this possible??
First let's understand what this actually means.
What is Dwell Time?
"Dwell Time" is defined as the amount of time between the initial compromise (when the hacker first gets in) and the final event, such as notification of a breach by the FBI or a ransomware note found on a computer in the environment.
This means that a company that has been breached carries on, business as usual, while a cybercriminal sits inside of their network, sometimes for months and months on end.
Imagine what that cybercriminal can do once they've gained control over the company's directory server, file server, computers, cloud services, financial data…
The list goes on.
Hacking Doesn't Work Like You Think It Does
Most people don't truly understand how a "hack" or a "breach" event unfolds.
The common misconception is that a "hacker" attacks a network and infects it with a virus or quickly steals data.
If you've ever seen the classic 1995 movie Hackers (and so many more just like it), it would lead you to believe that hacking involves lightning-fast reflexes where a hacker in a dark room starts typing furiously on their keyboard while 1s and 0s fly across the screen.
The faster a hacker moves, the more noise they make and the higher the likelihood that they will be detected.
Additionally, a full-blown breach of a company's network is rarely conducted by one person or even one group.
Cybercriminals specialize in different areas and most times, the breaches that you read about are conducted by several different groups over a long period of time, all while the company had NO idea that any of it was taking place.
How a Breach Starts
The initial "hack" is typically conducted by a cybercriminal or cybercriminal organization that specializes in gaining persistent access.
Persistent access consists of techniques performed by the hacker that is designed to maintain access to a network through computer reboots, credential changes, and other types of interruptions that could boot the hacker out of that network.
This is an ongoing process as the individual or group responsible for this part of the breach must maintain their access to a specific network so that this access can be sold to another party.
The easiest way to think of this process is to compare it to a distributor.
A distributor buys a product in bulk and then resells that product for a profit to a retail store or the end customer.
A persistent access cybercriminal group is doing the same thing.
They are gaining persistent access over a company's network so that they can sell that access to a cybercriminal group that specializes in other areas, like data exfiltration or ransomware.
This access gets posted on the dark web and then is sold to the highest bidder.
This can sometimes take weeks or months to accomplish, all while the cybercriminals responsible for persistent access must continue to check and maintain they have not been detected and booted off the network.
Maintaining this access and selling it on the dark web is how this type of cybercriminal generates revenue.
How the Breach Continues
Once this initial breach is advertised on the dark web, a second individual or group will purchase it so that they can conduct their attack.
This individual or group usually focuses on data exfiltration and ultimately, a ransomware attack.
Their intention is to steal as much data as possible and then sell that data on the dark web.
Generally, this data will consist of personally identifiable information, financial records, or patient health information.
Once they've finished exfiltrating the data they find valuable, they may strike one final blow with a ransomware event, locking every computer they have access to within the network.
Cyber Criminals Don't Work Fast
Be Quiet. That is the name of the game when it comes to compromising a network.
Most networks today have some level of monitoring from IT folks and cybercriminals know this.
That is why they must remain quiet and to remain quiet means to move slowly.
The quicker they move, the more noise they make, and the more noise they make, the more likely they are to be detected and kicked off the network.
But that is good news for businesses.
The average 287-day range from initial compromise to the final blow provides businesses with numerous opportunities to thwart these attacks, provided they have the right systems and processes in place to detect them.
While most businesses today have antivirus and run updates on their systems, very few businesses have advanced security monitoring systems like SIEM (security information and event monitoring) or SOAR (security orchestration automation and response).
Introducing these more advanced security tools into a network allows security personnel to detect anomalous behaviors and movements and then investigate those events to determine if they are malicious.
SOAR, being the younger smarter brother of SIEM, allows for these security people to correlate events from various on-premise and cloud-based systems to take Dwell Time from 287 days down to just a few hours.
Sounds Expensive!
SIEM and SOAR were tools that until recently, were mostly used only by the enterprise.
The Small and Medium business market was largely left out in the cold due to the high cost of acquisition and high cost of ownership that SIEM required.
Over the past several years, we've seen a dramatic shift as more vendors have entered the space and begun bringing SIEM and SOAR products that are not only cost-effective but also significantly easier to use.
Today, for the cost of 4 Starbucks coffees per employee per month, this incredibly high level of protection has now become attainable for the SMB market, making it possible to finally take a bite out of this massive Dwell Time average.
Now the only thing that stands in our way is educating business owners about these products and how important they are to avoiding a VERY BAD DAY.
