Attivo Networks Blogs

DARPA Gets Serious About Tackling Dwell Time

Written by: Carolyn Crandall, Chief Deception Officer and CMO – Dark Reading recently reported on a new Defense Advanced Research Projects Agency (DARPA)-funded research project at Georgia Tech aimed at reducing dwell time. The $12.8 million project, known as “Gnomon,” will look to establish new methods for faster threat detection and network cleanup. Funding for this kind of project could not come at a more critical time.

Although median dwell time had been falling steadily over the past few years, the number has plateaued. According to research from Mandiant, global average dwell time fell from 146 days in 2015 to 99 days in 2016. However, it ticked slightly upward last year, reaching 101 days and continues to be exponentially higher outside of the United States. That is more than enough time for even a moderately capable attacker to gain a full understanding of a network and complete a cyber heist, ransomware attack or cause disruption to services.

There is perhaps no one metric that organizations should follow more closely and give more scrutiny than dwell time, and the reason most enterprises don’t is simple: Because they often just don’t know. Equally concerning is that this year’s Mandiant report found that nearly half of surveyed organizations who were attacked went on to experience a subsequent attack the following year. Detecting the lateral movement of in-network threats can be quite complex and often alerts arise but are lost in a flood of other data feeds. Many organizations are simply unaware of threats in their network and all too often learn too late that they’ve been breached. Many of those breached will also lack the tools necessary to completely eradicate the threat and prevent an attack from happening again. The remedy lies in early detection, fast response, and in full remediation – to disrupt the attackers before they can cause any damage, close off that avenue of attack, and purge all artifacts and access hidden by the attacker.

The Gnomon project is promising. For starters, it is rootedin the stark reality that breaches are inevitable, and it focuses exclusively on the fact that solely investing in prevention is not practical. The project aims to establish a process that examines the behavior of the devices and systems attached to the network, determines when something exhibits suspicious behavior, and immediately begins remediation upon detection.

The best way to significantly cut dwell time is by adopting an Active Defense with deception-based detection technology that is designed to confuse an attacker into revealing themselves during early reconnaissance or credential theft. Deception technology easily deploys decoys, bait, and lures that appear identical to production assets, making an attacker’s mission exponentially more difficult. The right deception solution can change the asymmetry of an attack, knocking attackers off their game, causing them to make mistakes and reveal their presence. What’s more, deception methods can garner enough forensic evidence to respond and eradicate the threat, quickly and accurately.

To not fall prey to today’s sophisticated attackers, organizations need to embrace more active defense measures like deception technology. By using innovation, one can quickly reveal threats across an ever-changing attack surface, reduce the time an attacker has to attack, and ultimately avoid becoming victim to a breach. We look to Gnomon to yield fresh insights that can provide a concrete examples of how organizations can benefit and implement a stronger and more active cyber defense posture in the future.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

20 − ten =

Ready to find out what’s lurking in your network?

Scroll to Top