Shrinking cyber attack “dwell times” highlight growing war of attrition with threat actors

Mockup of a padlock covered in blue and red neon code denoting ransomware, malware, and security
(Image credit: Getty Images)

The arms race between security teams and threat actors is escalating as “dwell times” shorten, according to new research from Sophos. 

Dwell times, which mark the time from when an attack starts to when it is detected, dropped from an average of 10 days to just eight for all attacks, the analysis shows. 

This dip underlines the changing nature of attacks, Sophos said, with organizations becoming increasingly efficient at detecting and responding to incidents in rapid time. 

“As adoption of technologies like XDR (extended detection and response) and services such as MDR (managed detection and response) grows, so does our ability to detect attacks sooner,” said John Shier, field CTO at Sophos. 

“Lowering detection times leads to a faster response, which translates to a shorter operating window for attackers.”

While this may appear to be positive news for organizations, the reality is that rapid reaction times mean threat actors are accelerating attacks and adopting new techniques. 

Shier suggested that many organizations have become “victims of their own success” with regard to security practices, prompting a more aggressive approach from attackers and placing significant strain on security practitioners. 

“Criminals have been honing their playbooks, especially the experienced and well-resourced ransomware affiliates, who continue to speed up their noisy attacks in the face of improved defenses.”

For ransomware attacks, the most prevalent form of attack analyzed, dwell time dropped significantly from 10 days to five, Sophos found. 


Whitepaper cover with black and white image of man's face wearing glasses and with beard on the right side

(Image credit: Mimecast)

78 global CISOs share their recommendations on how to communicate cyber risk as business risk to the C-suite peers and board. 


Similarly, in more than three quarters (81%) of ransomware attacks, Sophos said the final payload was launched outside of conventional working hours. Of those that were deployed during traditional operating hours, only five occurred on a weekday. 

“The number of attacks detected increased as the week progressed, most notably when examining ransomware attacks. Nearly half (43%) of ransomware attacks were detected on either Friday or Saturday,” the firm said. 

With security teams acting swiftly to respond to threats in record times, malicious actors have become increasingly conscious of operating hours and are purposefully targeting firms at the most inconvenient times possible. 

Long-term, this means that organizations aren’t necessarily more secure, Shier said. 

“This is evidenced by the leveling off of non-ransomware dwell times. Attackers are still getting into our networks, and when time isn't pressing, they tend to linger. But all the tools in the world won't save you if you're not watching.”

Growing Active Directory risks

Among the most concerning finds from the Sophos report was a decrease in the time it takes for attackers to reach Active Directories (AD); on average, it took them just 16 hours.

Active directories are among the most critical assets for any organization, being used to manage identity and access to company resources. Gaining access to a directory would enable attackers to “easily escalate” system privileges and conduct malicious activity, Sophos said. 

The decreased dwell time in this regard should be a serious cause for concern for security teams, Shier warned. 

"Attacking an organization's Active Directory infrastructure makes sense from an offensive view. AD is usually the most powerful and privileged system in the network, providing broad access to the systems, applications, resources, and data that attackers can exploit in their attacks,” he said.

“Getting to and gaining control of the Active Directory server in the attack chain provides adversaries several advantages. They can linger undetected to determine their next move, and, once they’re ready to go, they can blast through a victim's network unimpeded.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.