Attivo Networks Blogs

Attivo Survey Reveals That Dwell Time Remains Alarmingly High

Authored by: Carolyn Crandall, CMO, and Chief Deception Officer – A couple of weeks ago, Attivo Networks released the findings from the company’s annual “Top Threat Detection Trends” survey, with data collected from over 1,200 security professionals across North America, LATAM, Europe, and Australia. Last year’s findings contained several interesting data points, including the fact that more than 50% of respondents indicated that 100 or more days of dwell time—the period from when an attacker enters the network to when the organization detects them—was an accurate representation of their organization. This is obviously concerning, as reducing organizational dwell times to limit how long an attacker has inside a network is a critical initiative of cybersecurity professionals everywhere, and we were interested to see how those numbers had evolved.

Dwell Time Remains a Major Concern

Unfortunately, things have not progressed in a positive direction. One of the most concerning data points revealed by this year’s survey was that 64% of respondents answered that 100 days of dwell time seems either accurate for their organization or too low, a notable jump from last year’s number. Giving attackers 100 days or more of undetected access within a network is an alarming and unnecessary security risk. While perimeter security tools were once the primary means of defense, the ready availability of a wide range of advanced in-network detection tools today means that organizations have security controls they could use to remedy this. That security practitioners view 100 days or more of dwell time as increasingly commonplace highlights the widespread need for more effective in-network defenses, as does the fact that just 41% of respondents said they could detect lateral movement within the network in a day or less.

On a similar note, the survey revealed that the percentage of respondents who do not track dwell time rose by 7%, though the underlying reasons for this are unclear. Many smaller organizations may lack the necessary level of sophistication in their threat tracking, choosing instead to focus on prevention and protection controls like firewalls and antivirus software. While they have their uses, these tools simply don’t reveal enough information to defenders. We expect to see this trend turn around as more and more organizations begin to recognize that adversaries are slipping through the cracks, prompting more significant investment in strong in-network protections.

What Attacks Worry Defenders Most?

We found some small but notable shifts in the types of attacks that security teams are most concerned with. Malware and ransomware continue to loom largest in the minds of defenders, with last year’s 61% rising to 66% this year despite significant investments in prevention solutions within the industry. Unfortunately, today’s prevention technologies still struggle to detect and stop these attacks, and the industry’s growing concern reflects this. This shift reveals itself in the downward movement of concern on the credential theft front, dropping from 52% to 46%, and in targeted attacks, which decreased from 50% to 45%. This change can likely be attributed to increased adoption of credential-based deception, making it more difficult for attackers to use these methods successfully. Malware will likely continue to be a significant security concern, as the growing trend in ransomware campaigns targeting critical network data to force higher payouts continues unabated. However, the current shelter-in-place and remote-work guidance will impact what security practitioners consider as worthy of concern in the coming months.

It is important to note, particularly at a time when remote working has increased, that concern over phishing and social engineering attacks has grown significantly, from 58% last year to 64% this year. These attacks are notoriously difficult to stop, as they exploit the fallibility of human users rather than attacking the network directly. Social engineering has always been a popular technique, but as security controls have grown more complex, attackers have increasingly used it as an easy way to bypass defenses. Fortunately, our survey indicates that defenders have greeted the rise in these attacks with appropriate concern. Still, it is something to keep an eye on as large numbers of employees must now work remotely. With workers at home, where there is greater potential for children, pets, or other distractions to divert one’s attention, mistakes will happen. Defenders will need to be accordingly vigilant during this time.

Securing New Attack Surfaces with Appropriate Tools

Another finding that stood out was that respondents are noticeably more concerned about securing user networks and endpoints. 65% of respondents named these as the attack surface that concerns them the most – an increase of 11% from last year. Unsurprisingly, securing the cloud remains a close second, and at 63%, it enjoyed only a modest increase from last year’s 62%. These numbers may reflect that cybersecurity teams are shifting their focus to the endpoint because of malware and ransomware concerns while emphasizing that protecting cloud services remains a top priority. It is also interesting to note that although the survey happened before the current coronavirus pandemic forced large numbers of employees to work remotely, remote workers still ranked as the third most concerning attack surface. Given current circumstances, this number will likely rise sharply soon.

The survey also revealed that complementary security technologies are on the rise. Tools like deception technology and next-generation firewalls (NGFs) were among the tools that respondents believed were most concerning to potential attackers, just behind traffic analysis tools. This indicates that respondents believe that traffic analysis and NGF tools are the best solutions to identify known threats at the perimeter, while deception technology is best suited to detect and derail in-network activity from unknown threats. As both attackers and defenders work to stay one step ahead of one another, it is encouraging to see that defenders are turning to new and innovative security tools, understanding the need for both perimeter and in-network protections to complement one another.

Key Takeaways

This year’s survey produced an interesting mix of results. Some encouraging data indicated that defenders are treating new and emerging attack surfaces with an appropriate level of care. In contrast, some less-encouraging data reveals that organizations are still struggling to reduce dwell times. The results also indicate that the need for more robust in-network controls remains pressing, particularly as tools like deception technology can help not only reduce dwell time but also defend against ransomware attacks. As much of the world grapples with forced remote work, these areas of concern are only likely to grow, and understanding the most pressing areas of need can help InfoSec teams more effectively prioritize. As always, this year’s survey provided a fascinating glimpse into the state of the cybersecurity industry, and we look forward to seeing how these findings evolve in both the near and long term future.

Read the full report here.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

seven − 6 =

Ready to find out what’s lurking in your network?

Scroll to Top