Shrinking cyber attack “dwell times” highlight growing war of attrition with threat actors
While teams are becoming more proficient at detecting threats, attackers are augmenting their strategies


The arms race between security teams and threat actors is escalating as “dwell times” shorten, according to new research from Sophos.
Dwell times, which mark the time from when an attack starts to when it is detected, dropped from an average of 10 days to just eight for all attacks, the analysis shows.
This dip underlines the changing nature of attacks, Sophos said, with organizations becoming increasingly efficient at detecting and responding to incidents in rapid time.
“As adoption of technologies like XDR (extended detection and response) and services such as MDR (managed detection and response) grows, so does our ability to detect attacks sooner,” said John Shier, field CTO at Sophos.
“Lowering detection times leads to a faster response, which translates to a shorter operating window for attackers.”
While this may appear to be positive news for organizations, the reality is that rapid reaction times mean threat actors are accelerating attacks and adopting new techniques.
Shier suggested that many organizations have become “victims of their own success” with regard to security practices, prompting a more aggressive approach from attackers and placing significant strain on security practitioners.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“Criminals have been honing their playbooks, especially the experienced and well-resourced ransomware affiliates, who continue to speed up their noisy attacks in the face of improved defenses.”
For ransomware attacks, the most prevalent form of attack analyzed, dwell time dropped significantly from 10 days to five, Sophos found.
RELATED RESOURCE
78 global CISOs share their recommendations on how to communicate cyber risk as business risk to the C-suite peers and board.
Similarly, in more than three quarters (81%) of ransomware attacks, Sophos said the final payload was launched outside of conventional working hours. Of those that were deployed during traditional operating hours, only five occurred on a weekday.
“The number of attacks detected increased as the week progressed, most notably when examining ransomware attacks. Nearly half (43%) of ransomware attacks were detected on either Friday or Saturday,” the firm said.
With security teams acting swiftly to respond to threats in record times, malicious actors have become increasingly conscious of operating hours and are purposefully targeting firms at the most inconvenient times possible.
Long-term, this means that organizations aren’t necessarily more secure, Shier said.
“This is evidenced by the leveling off of non-ransomware dwell times. Attackers are still getting into our networks, and when time isn't pressing, they tend to linger. But all the tools in the world won't save you if you're not watching.”
Growing Active Directory risks
Among the most concerning finds from the Sophos report was a decrease in the time it takes for attackers to reach Active Directories (AD); on average, it took them just 16 hours.
Active directories are among the most critical assets for any organization, being used to manage identity and access to company resources. Gaining access to a directory would enable attackers to “easily escalate” system privileges and conduct malicious activity, Sophos said.
The decreased dwell time in this regard should be a serious cause for concern for security teams, Shier warned.
"Attacking an organization's Active Directory infrastructure makes sense from an offensive view. AD is usually the most powerful and privileged system in the network, providing broad access to the systems, applications, resources, and data that attackers can exploit in their attacks,” he said.
“Getting to and gaining control of the Active Directory server in the attack chain provides adversaries several advantages. They can linger undetected to determine their next move, and, once they’re ready to go, they can blast through a victim's network unimpeded.”

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Are chief AI officers here to stay?
In-depth Mainstay of the boardroom or short-term project leader, CAIOs are the subject of intense consideration
-
US companies dominate the European cloud market – regional players are left fighting for scraps
News Synergy data shows EU providers hold just 15% of the market despite rise in AI and drive for cloud sovereignty
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs