Dwell time vs. Breakout time: A Historical Analysis and Future Outlook

How low-and-slow attacks have evolved, and how we're catching them

Background

In today's rapidly evolving cyber threat landscape, it's no secret that even the most robust defenses can fail. Many large-scale data breaches reveal that attackers often go beyond mass exploitation and poorly written phishing emails to exploit stolen credentials, spoof multi-factor authentication (MFA) and infiltrate networks. Once inside, they "live off the land" by utilizing legitimate system tools to avoid detection, allowing them to persist within an environment, exfiltrate sensitive data, encrypt critical assets, or engage in crypto mining activities.

Two key metrics help us understand the behavior and efficiency of these attackers: dwell time and breakout time. Dwell time refers to the duration an attacker remains undetected within a network, while breakout time measures how quickly they move laterally from the initial point of compromise to other systems within the environment. Understanding these metrics and their trends over time is crucial for developing effective defense strategies.

Dwell Time and Breakout Time

Dwell time and breakout time are the two statistics that we've created in industry to understand how long attackers have actually been in your environment and the time it takes for them to "break out" of one endpoint and move laterally to other systems in your environment until they achieve their ultimate goal.

Back when I was at CrowdStrike, we liked to use the 1/10/60 rule that specified to prevent the dwelling of adversaries (aka persistence), one would need to see an attack in one minute, investigate it in ten minutes, and remediate it in 60 minutes. The idea was that if you can remediate in time, you can prevent an adversary from moving laterally and achieving the persistence they needed to achieve their objective.

What I wanted to understand is whether dwell time and breakout time have changed over the past six years. If so, how? If there is a relationship between dwell time and breakout time, why is that the case? Going into this investigation, I assumed that attackers are getting smarter and faster, but that the 1/10/60 rule should, by and large, account for attacker breakout time.

Dwell Time and Breakout Time Over Time

Over the past six years, we've observed significant changes in both dwell time and breakout time. These changes reflect the evolving tactics, techniques, and procedures (TTPs) of adversaries, as well as improvements in defensive capabilities. The following table summarizes the trends from 2018 to 2023:

Note that breakout time is an “average of averages” for adversaries from the “big four” - Iran, North Korea, China and Russia.

Key Observations

1. Decreasing Dwell Time: Dwell time has significantly decreased from 78 days in 2018 to just 10 days in 2023. This reduction suggests that defenders are becoming more proficient at detecting and responding to intrusions.

2. Varied Breakout Time: Breakout times show variability among different nation-state actors. Russian adversaries consistently exhibit the shortest breakout times, reflecting their highly efficient and aggressive tactics.

3. Evolving Tactics: Adversaries from China, North Korea, Iran, and Russia have continuously refined their methods, utilizing advanced social engineering, credential dumping, and living-off-the-land techniques to evade detection and accelerate lateral movement.

Factors Influencing These Trends

Several factors have contributed to the observed changes in dwell time and breakout time:

Advanced Tactics and Techniques

Adversaries have adapted to the defensive measures deployed by organizations. They employ sophisticated methods to gain initial access and move laterally within networks. Techniques such as exploiting LOLBins (living-off-the-land binaries), leveraging advanced phishing campaigns, and using zero-day vulnerabilities have become more prevalent, enabling attackers to bypass traditional security controls.

Automation in Cyber Operations

Automation has revolutionized both offensive and defensive cyber operations. Attackers use automated tools for reconnaissance, exploitation, and lateral movement, drastically reducing the time required to achieve their objectives. Simultaneously, defenders leverage automation to enhance detection and response capabilities. However, the attackers' ability to innovate with automated tools often outpaces defensive measures. These both work in an asynchronous cycle which creates shorter dwell and breakout times.

Improved Detection Capabilities

The cybersecurity industry has made significant strides in enhancing detection capabilities. The proliferation of Endpoint Detection and Response (EDR) solutions, advanced logging, and the use of machine learning for anomaly detection have improved defenders' ability to identify and respond to threats more quickly. This means we’re able to catch the bad guys faster, which drives down the dwell time they have before they’re spotted.

Collaborative Cybercriminal Ecosystem

Cybercriminals and nation-state actors operate within a complex ecosystem where tools, techniques, and intelligence are shared and sold. An infamous example of this is Big Game Hunting (more on this in a future post) and the use of Ransomware as a Service (RaaS): it’s bad, and it’s prevalent. This collaboration accelerates the learning curve for new threat actors and disseminates successful attack strategies globally. As adversaries get smarter, they iterate their approaches and get faster at moving laterally.

Implications for Network Defenders

The trends in dwell time and breakout time have significant implications for network defenders.

The 1/10/60 Rule

The aforementioned 1/10/60 rule, popularized by CrowdStrike, remains a useful framework for defending against lateral movement. To prevent adversaries from achieving persistence, defenders should aim to detect an attack within one minute, investigate it within ten minutes, and remediate it within sixty minutes. While the average breakout times for most adversaries remain under this framework, achieving these response times requires advanced detection and response capabilities.

Enhanced Detection and Response

Network defenders must continue to invest in and refine their detection and response capabilities. This includes deploying advanced EDR solutions, enhancing logging and monitoring practices, and leveraging machine learning and artificial intelligence to identify anomalies. If you can spare the resources, regular threat-hunting exercises and continuous improvement of incident response plans may reduce dwell and breakout times.

Proactive Defense Strategies

Given the sophisticated tactics employed by adversaries, proactive defense strategies are crucial. This involves conducting regular security assessments, vulnerability management, and patching critical systems. Additionally, implementing strong access controls, multi-factor authentication, and network segmentation can limit an attacker's ability to move laterally.

Collaboration and Information Sharing

Defenders must embrace a collaborative approach to cybersecurity. Engaging in threat intelligence sharing, participating in industry forums, and collaborating with peers can provide valuable insights into emerging threats and effective defensive strategies. By sharing knowledge and resources, the cybersecurity community can better defend against evolving adversaries. Organizations like the Cyber Threat Alliance are great examples of security organizations coming together for the common good. We need more of this!

Conclusion and Key Takeaways

The data from the past six years shows a clear trend: dwell time and breakout time are decreasing. This suggests that while defenders are improving their detection and response capabilities, attackers are also becoming more sophisticated and efficient. The relationship between dwell time and breakout time highlights the dynamic nature of the cybersecurity landscape. An oft-used expression in security is “the best way to build a 12-foot ladder is to build an 11-foot wall,” in essence, as we improve our defenses, so too do attackers refine their intrusion techniques.

The good news: 1/10/60 looks like it does the trick…mostly: Except for Russian adversaries (understandably this is an “average of averages” figure I’ve cited), the average breakout time is still under the 1/10/60 framework. If network defenders can see, investigate, and respond to threats in under an hour, they should be able to prevent adversary breakouts.

The bad news: every security organization must have controls in place that allow the 1/10/60 to be tenable. That’s easier said than done. Moreover, adversaries have demonstrated they can move laterally faster than we can see them, hence the dwell time statistics that we have.

The trend-line: Dwell time is dropping, which was not unsurprising, but surprising for different reasons than I expected. Encouragingly, we are getting better at detecting our adversaries. While 10 days is still a far cry from the aspirational 1 minute of detection time, it’s an 88 percent decrease from the 78 days we had back in 2018. That’s progress!

Takeaways

Improved Detection Capabilities: Network defenders have made significant strides in reducing dwell time, thanks to advancements in EDR, logging, and machine learning.

Sophisticated Adversaries: The reduction in breakout time indicates that adversaries are not only becoming faster but also more skilled in evading detection and moving laterally within networks. They’ve begun collaborating for greater gain as well. This underscores the need for constant vigilance and adaptation in defensive strategies.

Automation as a Double-Edged Sword: While automation enhances defensive capabilities, it also empowers attackers to execute their operations more swiftly and efficiently. Both sides of the cybersecurity equation are leveraging automation, and staying ahead requires innovative and proactive approaches.

Information Sharing: The cybercriminal ecosystem thrives on collaboration, which accelerates the dissemination of effective attack techniques. Defenders should similarly engage in information sharing and collaboration to keep pace with evolving threats.

As we move forward, we must continue investigating the tactics and techniques that drive these trends. Understanding the specifics of how adversaries achieve their breakout times can inform more effective defensive measures. Ultimately, staying informed and proactive is key to outpacing our cyber adversaries.

Stay secure and stay curious my friends!

Damien

References

1. Mandiant. (2019). M-Trends 2024 Special Report. Retrieved from Mandiant.

2. Mandiant. (2020). M-Trends 2020 Report. Retrieved from Mandiant.

3. Mandiant. (2021). M-Trends 2021 Report. Retrieved from Mandiant.

4. Mandiant. (2023). M-Trends 2023 Report. Retrieved from Mandiant.

5. Mandiant. (2024). M-Trends 2024 Special Report. Retrieved from Mandiant.

6. CrowdStrike. (2018). 2018 Global Threat Report. Retrieved from CrowdStrike.

7. CrowdStrike. (2019). 2019 Global Threat Report. Retrieved from CrowdStrike.

8. CrowdStrike. (2020). 2020 Global Threat Report. Retrieved from CrowdStrike.

9. CrowdStrike. (2021). 2021 Global Threat Report. Retrieved from CrowdStrike.

10. CrowdStrike. (2022). 2022 Global Threat Report. Retrieved from CrowdStrike.

11. CrowdStrike. (2023). 2023 Global Threat Report. Retrieved from CrowdStrike.