{"id":2395,"date":"2025-03-18T06:00:00","date_gmt":"2025-03-18T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2395"},"modified":"2025-03-18T06:00:00","modified_gmt":"2025-03-18T06:00:00","slug":"attack-time-frames-are-shrinking-rapidly-heres-how-cyber-teams-can-cope","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2395","title":{"rendered":"Attack time frames are shrinking rapidly. Here\u2019s how cyber teams can cope"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Times are tough for cyber pros, quite literally. Two common malware time scale metrics \u2014 dwell time and time to exploit \u2014 are rapidly shortening, making it harder for defenders to find and neutralize threats.<\/p>\n

What is malware dwell time and time to exploit<\/h2>\n

The two metrics are somewhat related. Malware\u2019s dwell time<\/strong> refers to the amount of time malware remains undetected after it has entered a network. While the shorter times indicate improved detection and defensive posture, that also forces attackers to get better at hiding their incursions and using various \u201cliving off the land<\/a>\u201d methods to disguise their code. Tony Burgess of Barracuda blogged about<\/a> the three reasons for the recent drop in dwell times: The victim finds and blocks the intrusion, the attacker steals the targeted data, or the attacker detonates a payload, such as a ransomware attack, that announces their presence.<\/p>\n

The other metric, time to exploit<\/strong> (TTE), is the period between the discovery of a vulnerability and when an attacker actively launches an attack, showing how quickly an attacker can take advantage of a known vulnerability once they find it.\u00a0This means enterprises need to improve their patching game and respond quickly and comprehensively to any vulnerability alerts. Two analysts from Google\u2019s Mandiant group<\/a>\u00a0found the average TTE in 2018 was around 63 days. In 2023 they saw this drop to five days. <\/p>\n

\u201cAs long as patch cycles remain lengthy for vulnerabilities that provide access to either code execution or privilege escalation, threat actors will continue to identify and exploit these vulnerabilities,\u201d they wrote.\u00a0<\/p>\n

Time frame changes to time to exploit<\/h2>\n

The time frames are quickly shortening as the focus by a variety of attackers\u2019 ransomware efforts shift to data stealing first, rather than trying to collect ransoms.<\/p>\n

A recent Huntress Cyber Report<\/a>\u00a0shows that that TTE \u2014 which the researchers refer to as \u201ctime-to-ransom\u201d or TTR \u2014 has dropped to a few hours for some ransomware groups. Times for many attacker groups are less than 44 hours, with some groups exploiting their code within four hours; overall, the average TTE is around 17 hours across all ransomware activities<\/a> studied. <\/p>\n

The researchers attribute the different times to different methods: \u201csome groups prefer smash-and-grab techniques versus others who prefer slow-and-low methodologies.\u201d The latter form was also recognized by Radware in its 2025 threat report<\/a>, which found a 38% increase in this method of operation over the past year for DDoS attacks. These attacks \u201cinvolve sending a small stream of very slow traffic, making them difficult to detect and mitigate,\u201d Radware\u2019s researchers wrote.<\/p>\n

Palo Alto Networks\u2019 most recent\u00a0Unit42 incident report<\/a>\u00a0also sees the threat time frame shrinking, having found that a quarter of data thefts happen in less than five hours from when a piece of malware first enters a network. This rate is three times faster than what the company\u2019s researchers saw in 2021. They predict that attackers use of various AI tools will make things worse by cutting down these times even further, even to minutes. One problem is that because many enterprises use a variety of detection tools, there is a lack of information sharing, resulting in siloed reporting, which makes it more difficult to catch malware quickly.<\/p>\n

Time frame changes to dwell time<\/h2>\n

Dwell times are also dropping. According to a Secureworks report from last year<\/a>, some ransomware group\u2019s dwell times shrunk to as short as seven hours, and a tenth of all intrusions studied happen within five hours of gaining initial access. <\/p>\n

Moreover, CrowdStrike<\/a> says that breakout time \u2014 how long it takes for an adversary to start moving laterally across your network \u2014 reached an all-time low in the past year, down to an average of 48 minutes, with the fastest breakout time they observed being 51 seconds. This means cyber teams need better real-time threat detection and more solid identity and access controls to identify and halt intrusions before they spread. CrowdStrike researchers noted one malware group, dubbed Curly Spider, takes less than 4 minutes from initial phishing interaction to establishing a persistent network backdoor. \u201cThe malware compromises the network in seconds by securing long-term access before the victim even realizes what\u2019s happening,\u201d they wrote.<\/p>\n

Barracuda\u2019s Burgess reasons that attackers now have a more rushed agenda and grab data as quickly as they can. This also means defenders must be able to quickly react once malware is detected, which again reinforces the notion of breaking down security silos and having more cross-team cooperation and cross-tool integration to be able to respond and eliminate a potential threat.<\/p>\n

What cybersecurity teams can do<\/h2>\n

Veracode recommended in its State of Software Security 2025<\/a> report that defenders try to gather all risks in one place and focus on what matters most to an organization. \u201cYou need a way to see what\u2019s exploitable, reachable, and urgent to help you prioritize further,\u201d its researchers remarked.<\/p>\n

That is easy to say but a lot harder to implement. Other analysts have seen complicating factors making any cross-team cooperation difficult. Tamnoon, a cloud security vendor<\/a>, has found that CNAPP tools<\/a> classify the severity of threats differently and often are at odds with one another, citing one example in which one tool called a potential issue \u201cinformational\u201d while another tool flagged the same issue a critical threat. \u201cWe saw organizations attempting to manage hundreds and thousands of critical alerts simultaneously. With such volume, prioritizing what to do next becomes challenging, causing many critical alerts to remain in the backlog for months at a time,\u201d its report authors wrote.<\/p>\n

Also contributing to these longer resolution times is that software is getting more complex, and analysts are having a harder time to scan their code, and find and fix flaws. Veracode\u2019s report shows time-to-fix software flaws has increased 47% since 2020 and the proportion of apps with high severity flaws has almost tripled<\/a> in that time. \u201cFinding flaws is easy these days; fixing them is where the challenge lies,\u201d the authors wrote. <\/p>\n

One solution, not surprisingly coming from a vendor that sells code scanning tools, is to perform more frequent application testing and scanning, along with better and more thorough security training. Another is to seek out and eliminate overall security debt<\/a>, so that developers are continuously improving their code and finding these flaws.<\/p>\n

Overall, defenders have to up their game, and act quickly. Time is of the essence.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Times are tough for cyber pros, quite literally. Two common malware time scale metrics \u2014 dwell time and time to exploit \u2014 are rapidly shortening, making it harder for defenders to find and neutralize threats. What is malware dwell time and time to exploit The two metrics are somewhat related. Malware\u2019s dwell time refers to […]<\/p>\n","protected":false},"author":0,"featured_media":2396,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2395","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2395"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2395"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2395\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2396"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}