Dwell Time
Dwell Time とは何ですか?
Dwell TimeThe interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant.
Dwell time is the duration between initial intrusion and detection (sometimes broken into 'attacker dwell' until any defender action and 'detection dwell' until first confirmed alert). It is the single most cited efficacy metric in industry incident-response reports — Mandiant's M-Trends, IBM/Ponemon, CrowdStrike — and tracks how successful defenders are at finding adversaries before they finish their objectives. Historically median dwell times were measured in many months (Mandiant reported 416 days in 2011); by 2023–2024 medians had fallen to around 10 days globally for externally-notified incidents and a few days for ransomware-driven cases, both because attackers moved faster (ransomware shifted to days-to-encryption) and because defenders deployed better tooling (EDR, SIEM rule coverage, MDR). Dwell time alone can be misleading — fast detection of a brief intrusion may be worse than slow detection of a long one — so mature programs report it alongside Mean Time to Contain and Mean Time to Recover.
● 例
- 01
A red-team retrospective records a 21-day dwell from initial AWS key compromise to first alert; the after-action focuses on cloud-control-plane detections.
- 02
A board update reports that median dwell time fell from 32 days last year to 7 days this year following EDR + MDR rollout.
● よくある質問
Dwell Time とは何ですか?
The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant. サイバーセキュリティの 防御と運用 カテゴリに属します。
Dwell Time とはどういう意味ですか?
The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant.
Dwell Time はどのように機能しますか?
Dwell time is the duration between initial intrusion and detection (sometimes broken into 'attacker dwell' until any defender action and 'detection dwell' until first confirmed alert). It is the single most cited efficacy metric in industry incident-response reports — Mandiant's M-Trends, IBM/Ponemon, CrowdStrike — and tracks how successful defenders are at finding adversaries before they finish their objectives. Historically median dwell times were measured in many months (Mandiant reported 416 days in 2011); by 2023–2024 medians had fallen to around 10 days globally for externally-notified incidents and a few days for ransomware-driven cases, both because attackers moved faster (ransomware shifted to days-to-encryption) and because defenders deployed better tooling (EDR, SIEM rule coverage, MDR). Dwell time alone can be misleading — fast detection of a brief intrusion may be worse than slow detection of a long one — so mature programs report it alongside Mean Time to Contain and Mean Time to Recover.
Dwell Time からどのように防御しますか?
Dwell Time に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。
Dwell Time の別名は何ですか?
一般的な別名: Attacker dwell time, Compromise-to-detect time。
● 関連用語
- defense-ops№ 735
MTTD(平均検知時間)
セキュリティインシデントの発生から防御側がそれを認識するまでに要する平均時間。
- defense-ops№ 734
MTTC(平均封じ込め時間)
セキュリティインシデントの検知から、脅威が拡散・情報窃取・追加被害を生じさせない状態に到達するまでの平均時間。
- defense-ops№ 737
MTTR(平均応答時間)
セキュリティインシデントの検知から、有効な対応行動を開始するまでに要する平均時間。
- defense-ops№ 736
MTTR(平均復旧時間)
セキュリティインシデントや停止後に、影響を受けたシステムやサービスを通常運用へ復旧させるまでに要する平均時間。
- forensics-ir№ 582
インシデントレスポンス
サイバーインシデントの準備・検知・分析・封じ込め・根絶・復旧を体系的に行い、教訓を反映する組織的プロセス。
- defense-ops№ 1267
スレットハンティング
既存検知をすり抜けた脅威を見つけ出すため、テレメトリを仮説駆動で能動的に探索する取り組み。