The amount of time cyber-criminal intruders are spending inside victims’ networks is increasing, providing them with the ability to carry out higher complexity campaigns and more damaging cyberattacks. 

According to analysis by cybersecurity researchers at Sophos, who examined incidents targeting organisations around the world and across a wide range of industry sectors, the median dwell time that cyber criminals spend inside compromised networks is now 15 days, up from 11 days the previous year. 

ZDNet Recommends

Dwell time is the amount of time hackers are inside the network before they’re discovered or before they leave – and being able to spend an increased amount of time inside a compromised network undetected means they’re able to more carefully conduct malicious activity, such as monitoring users, stealing data or laying the foundations for a malware or ransomware attack. 

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

“It seems pretty obvious you don’t want people in your network, but the longer they have, the more time they have to completely compromise the environment. If they’re having to move quickly they might miss something,” John Shier, senior security advisor at Sophos told ZDNet. 

“Going deeper into the networks just allows them to penetrate harder-to-reach areas and find that business-critical data,” he added. 

One of the key methods cyber criminals are using to gain initial access to networks is through unpatched security vulnerabilities, something that Sophos says is the root cause of 47% of incidents they investigated last year. 

Some of the most commonly exploited were the ProxyLogon and ProxyShell Microsoft Exchange Server vulnerabilities, which Shier describes as “widespread and easily exploitable” – and one of the reasons cyber criminals were able to spend more time in networks, because many organisations were slow to, or still haven’t applied, the security patches. 

Among the organisations that struggle most – and have the longest median dwell times – are small businesses (21 days) and education organisations (34 days).  

Typically, these organisations struggle to find budget, resources and enough information security staff to effectively manage even basic cybersecurity, let alone quickly detect suspicious activity in the network.

Other techniques used by cyber criminals to breach network include phishing attacks, as well as using stolen login credentials, taken from earlier data dumps. Hackers are also able to enter networks by using brute-force attacks to crack accounts with weak or common passwords

No matter how intruders are entering the network or who they’re targeting, that they’re able to spend longer inside networks without being detected is bad for those who get breached.

“We’ve seen this – multiple attackers ending up in the same network, multiple ransomware crews ending up in the same network, the same crew going back into the same network again because the company didn’t close the hole in the first place after they’ve recovered – that’s what the longer dwell times are,” said Shier. 

There are steps that organisations can take to improve their cybersecurity defences to prevent intruders entering the network, including applying security updates as quickly as possible, especially to critical systems, in order to prevent cyber criminals exploiting known vulnerabilities.  

Equipping users with multi-factor authentication also adds an extra layer of security, because even if hackers attempt to use stolen passwords, it provides an additional barrier to overcome. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

But even with several layers of defence, it’s possible that intruders could still gain access to the network – so it’s important that there’s an information security team in place who knows what regular activity looks like and are able to identity and investigate potentially malicious behavior. 

“Security teams can defend their organisation by monitoring and investigating suspicious activity. The difference between benign and malicious is not always easy to spot,” said Shier. 

“Technology in any environment, whether cyber or physical, can do a great deal but it is not enough by itself. Human experience and skill and the ability to respond are a vital part of any security solution,” he said. 

MORE ON CYBERSECURITY