Tips on reducing dwell time of bad actors

March 15, 2023
It is not enough to just block cyber criminals from your network but limiting how long they stay is critical

As cyberattacks have become commoditized, the sophistication of threats such as malware and ransomware has become more complex and persistent – as evidenced in a recent ransomware-as-a-service attack that impacted over 75 organizations. This attack does not stand alone. The tactics of bad actors have evolved to include zero-click threats, attacking hardware and firmware, in addition to software. These evolutions require security leaders to think beyond the mindset of just preventing bad actors from coming in. They’re going to get in and often stay there – the key is limiting the amount of time they are able to access the targeted system. This applies to traditional Information Technology systems as well as the Internet of Things; heating, ventilation, and air conditioning systems; medical devices; and more.

Limiting the amount of time an actor spends in a system, also known as dwell time, is critical for organizations to protect their information and their business as a whole. A recent study found that there was a 36% increase in dwell time, with a median dwell time of 15 days in 2021 compared to that 11 days in 2020. This can be even more drastic for smaller organizations, with an average dwell time of 51 days for organizations with up to 250 employees. Thankfully, no matter the size of the company, there are a few key steps organizations can take to minimize their risk.

Identify weak zones within the organization’s cybersecurity infrastructure

A strong cybersecurity strategy is one that is constantly monitored and updated in order to ensure that it is as effective as it can be. As organizations monitor their own systems, they should identify the parts of the infrastructure that are weaker than others and focus on bolstering the protection around them. One such weak point may be any asset that is shared externally with a third party.

Organizations can’t fully control the security that their partners utilize but knowing that this could be a point of vulnerability can help security teams be more vigilant in terms of the information they share with these outside parties from the start, putting a plan in place to prevent further harm if the information is compromised. Most importantly, this process should be a consistent feedback loop – organizations should frequently look at their entire system and its architecture, identify problem areas, implement solutions to remedy these issues, and then take what has been learned to inform their cybersecurity strategy for the future.

The first step is knowing what is on networks and how they communicate. From there, organizations can start to understand how to better protect those assets that are most important to the business. Developing both a solid security architecture and a cybersecurity roadmap will bring tremendous benefits in identifying weak areas in a business’s cybersecurity.

Implement Zero Trust to limit lateral attacks

A few years ago, the prevailing school of thought when it came to cybersecurity was to prevent actors from coming in from the onset. However, now that we understand that attacks are inevitable, no matter how secure an organization may be, the focus has shifted to needing to limit the dwell time for attackers and their ability to move around once inside a system. An effective approach to lessening dwell time is Zero Trust, which works to limit lateral attacks. Zero Trust has gained significant traction over the last few years and is projected to grow with a CAGR of 14.7% by 2030. This shows how security leaders are prioritizing Zero Trust as a key approach to protecting organizational information – both from a high-level perspective and in direct relation to limiting lateral attacks.

By implementing Zero Trust, organizations are protecting themselves from malicious actors by limiting how much access the actors will have to data and preventing them from moving laterally even further into the organization’s systems. As threats become more persistent and sophisticated, organizations need to accept that they can’t prevent all bad actors from breaching their systems, and instead focus on restricting what they can access once they’re in via Zero Trust architectures. As the demand for, and implementation of, Zero Trust continues to grow, the organizations that don’t enact this framework will fall behind and open themselves to the possibility of attacks that they could have limited in the first place.

One thing for organizations to keep in mind is that Zero Trust, just like their cybersecurity strategy, is a journey. It can take years for large organizations to fully implement Zero Trust, and their strategy should be one of implementing the parts that give the largest protection first. Essential to this strategy is implementing Authentication Authorization and Accounting and tagging of the organization’s data. The organization must know who is on its network and who has access to specific data. For example, there is no need for the facilities department to have access to the HR department’s data, but an attacker might use this to their advantage if it is overlooked.

Proactively identify new threats and evolve along with them

Security teams should constantly be researching and looking for what could potentially be the next big threat – and ideally get ahead of it before it becomes a larger problem. By remaining apprised of the threat landscape, cybersecurity teams will be able to limit both how long an attacker can stay inside a system and how far they can get within it. Today, this is accomplished via threat intelligence and management systems, in combination with advanced cyber hunting inside a business’s network. Many are finding benefits to the scanning of their external threat surface too by companies offering those services.

We are no longer in the era of “simple threats.” Attacks have become commoditized, and bad actors can put more money into research and development than ever before. Subsequently, they are creating more advanced and intricate attacks that are getting closer to nation-states and Advanced Persistent Threat levels. This means that everyone is being targeted by these advanced attacks, not just the government anymore. As these more sophisticated threats continue to evolve and pose even more harm, organizations need to take the steps to lessen their dwell time. While there are no full-fledged “attack-proof” solutions that organizations can implement, the steps outlined above can help them to protect vital and sensitive data from being misused or abused for an extended period of time.

About the author: Julian Zottl is the Chief Technology Officer for Raytheon Cyber Protection Solutions within Raytheon Technologies Intelligence and Space (RIS) business. He is also Cyber and Information Operations Subject Matter Expert (SME) and Cyber Architect on multiple projects. Julian has over 28 years in cyber engineering. He received his undergrad and master’s in electrical engineering. During grad school, he worked for the Vitreous State Laboratory (VSL). There, he architected a Supervisory Control and Data Acquisition (SCADA) system to control the flow, processing and disposal of nuclear waste. Later, these technologies were deployed at nuclear waste disposal sites throughout the U.S. From VSL, he went to work at NASA HQ, engineering solutions for the NASA Network Operations Center (NOC) to enhance security. Next, he went to Fannie Mae, where he helped bring the organization up to SOX compliance and enhanced the cyber security of Fannie Mae’s web servers (over 8000). He then joined Raytheon and has been with the company for over 15 years.