Channel Partners Conference & Expo is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Who joined us in Vegas this March? And what did they think? Access the post-show report >>

What Is Dwell Time?

Cloaked Hacker

Editor’s Note: This guest column is part of Channel Partners Conference & Expo sponsorship.

Imagine a situation where an intruder breaks into your home and lives in your attic secretly, stealthily, for months, stealing and crushing your assets without your information, until the damage is done and it’s perfectly evident.

Now imagine this same event, but taking place digitally within your network. That intruder has been covertly taking important personal data and funds, and planting malware on your devices over time.

The time the intruder spent living in your network undetected is what we call “dwell time.”

So, what is dwell time, how does it happen, and how can you stop it before it’s too late? We answer these questions and provide other vital information about dwell time.

Dwell Time Defined, and How It Occurs

Dwell time is the amount of time between an intrusion and a cyberattack by an intruder. Intruders don’t always strike instantly and they sometimes need dwell time to coordinate their plan, perform enumeration and reconnaissance for powerful credentials, move laterally across your network, and execute a formidable attack. The longer the dwell time, the more likely significant damage has been or will soon be done to your organization.

So how does dwell time occur?

Threats stemming from extended dwell time can take many forms, originating with phishing attacks and software weaknesses that leave you open to intruder access. In addition to this, an intruder during dwell time will only exit dwell time when they have completely mapped out their attack. Increased dwell time means an intruder can take their time to create an elaborate plan to attack your network however they desire.

Besides the damage a single intruder can cause to a device due to extended dwell time, they can also cause catastrophic long-term consequences and ransoms.

Why Dwell Time Matters and How It Causes Severe Consequences

Because of the fact that dwell time can last for months if an intruder isn’t detected, the intruder can find ways to take advantage of permissions in a network. This allows the cyber attacker to transport their malware onto as many endpoint devices they have access to. They will also use that time to pinpoint other network resources, like system backups, and sell the access point to other cyber attackers, otherwise known as Initial Access Brokers (IABs). In 2021, these IABs were recognized as main contributors to substantial median dwell times, spiking up the dwell time by 36 percent.

Barring the irreparable damage that can be caused by these intruders, the issue with attacks made during broad dwell time is the mindset move required of a cybersecurity team. Prior to finding intruders within a network, a cybersecurity group can focus on being as proactive as possible, which is ideal. But after responding to an attack from an intruder inside a network, it must always then be assumed that an intruder is within that network until the issue is completely resolved. Intruders are similar to bugs infesting a home; if one gatecrasher got access to your network, chances are there are more hiding, waiting for the correct opportunity to attack.

How Can you Reduce Dwell Time?

Dwell time can be reduced in a few different ways:

  • Constantly monitor your network and potential threats.
  • Analyze communications within your network.
  • Implement multi-factor authentication to add layers of security.
  • Apply Zero Trust Architecture to your dwell time cybersecurity stack.

These are just a few methods for preventing intruders from infiltrating your network and using sustained dwell time to steal, damage, and sell your private data. So how can you start integrating all of these dwell time cybersecurity steps into your stack?

Dwell Time: Kick Out and Prevent Network Intruders

Incorporating dwell time cybersecurity can be a complex and exhausting process that can take months to resolve without the right tools.

But it doesn’t have to be that way.

Here at Xcitium, we provide a comprehensive and live one-on-one demo designed to show you how simple it can be to train and protect your users. Additionally, our engineers go out of their way to tailor the demo around your needs. Everyone starts at a different point, and we aim to meet you where you’re at.

Interested in learning about how Xcitium can reduce your dwell time to zero with automated Containment?

Schedule a free demo to see how!


Channel Partners Conference & Expo, cybersecurity