What is ransomware dwell time — and why does it matter? Dwell time can be defined as the time between when a threat actor initially gains access to your environment and when they are detected.
In a ransomware attack, many organizations don’t detect threat actors until they have made themselves known by deploying ransomware, encrypting their files and locking them out until they pay a ransom.
These days, threat actors will throw in exploitation (threatening to either leak sensitive information publicly or destroy it) to help further incentivize and expedite ransom payment.
The bad news is, we’ve observed ransomware dwell time getting shorter and shorter, meaning it’s more critical than ever to identify real indicators of threat actor behavior early enough to stop an attack in progress. While the median dwell time for non-ransomware incidents was 45 days, ransomware incidents were only five days, according to Mandiant’s 2021 M-Trends report. This significantly narrows the window of time organizations have to defend against an attack.
Time to security is more critical than ever – the longer it takes to contain a breach, the higher the financial impact. Breaches that took more than 200 days to identify and contain resulted in 35% higher cost for organizations, at $4.8 million on average, according to IBM’s Cost of a Data Breach report.
The overall financial impact of a ransomware breach extends far beyond just the ransom payment to include:
We cover costs in more detail in Comparing the Cost of a Ransomware Attack vs. a Cloud SIEM.
In Blumira’s own observations of real-life ransomware timelines, we have seen attackers deploy ransomware within three days after our platform initially detected threat actor behavior. But due to the vast amount of techniques attackers employ, it can be difficult to know what’s critical and urgent to respond to in a timely manner.
Here’s a few critical findings that have led to real ransomware attacks that your IT team should look out for:
Potentially Malicious PowerShell Commands – Windows PowerShell commands and scripts are often abused by threat actors during an attack, before ransomware infection. They can be hard to detect and blend into legitimate administrative behaviors. However, if you see this finding, it’s important to investigate immediately and reach out to Blumira (if we haven’t already contacted you) for additional help.
PowerShell Malicious Execution Detection: Cobalt Strike – Cobalt Strike is software that was created for Adversary simulations and red team operations. While it’s not commonly seen outside of red team or penetration test engagements, parts of this software can be used for malicious purposes.
Authentications From Outside of the U.S. – While not quite as critical as detecting malicious PowerShell commands and Cobalt Strike software, paying attention to a large number of suspicious login attempts coming from outside of your typical geographical region (especially if you do not have international employees) can be an initial indicator of threat actors attempting to access your environment.
RDP Connection From Public IP – This is a common way for attackers to gain initial access to your network using Remote Desktop Protocol (RDP), a Microsoft standard used to connect to computers remotely. It’s one of the most popular ransomware attack vectors, used in 50% of ransomware deployment cases (Unit 42 report). However, if left unsecured and exposed to the internet, which may unintentionally happen due to misconfigurations, RDP connections can be easily exploited by attackers to gain direct access and control over your systems.
Many security solutions, including security information and event management (SIEM) tools, are so complex they can take several months to deploy, lack essential detection and response capabilities, and require highly-skilled security teams. As a result, organizations often give up on SIEM projects altogether, leaving critical security coverage gaps.
To help alleviate this problem, Blumira has released Cloud Connectors, a feature that speeds up typical SIEM deployment time from months to minutes, allowing small IT teams to set up cloud security quickly.
We’ve made it easy to:
Blumira is focused on providing better security outcomes by making security accessible to organizations of all sizes. Try it out today with a free trial.