Dwell Time
Dwell Time 是什么?
Dwell TimeThe interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant.
Dwell time is the duration between initial intrusion and detection (sometimes broken into 'attacker dwell' until any defender action and 'detection dwell' until first confirmed alert). It is the single most cited efficacy metric in industry incident-response reports — Mandiant's M-Trends, IBM/Ponemon, CrowdStrike — and tracks how successful defenders are at finding adversaries before they finish their objectives. Historically median dwell times were measured in many months (Mandiant reported 416 days in 2011); by 2023–2024 medians had fallen to around 10 days globally for externally-notified incidents and a few days for ransomware-driven cases, both because attackers moved faster (ransomware shifted to days-to-encryption) and because defenders deployed better tooling (EDR, SIEM rule coverage, MDR). Dwell time alone can be misleading — fast detection of a brief intrusion may be worse than slow detection of a long one — so mature programs report it alongside Mean Time to Contain and Mean Time to Recover.
● 示例
- 01
A red-team retrospective records a 21-day dwell from initial AWS key compromise to first alert; the after-action focuses on cloud-control-plane detections.
- 02
A board update reports that median dwell time fell from 32 days last year to 7 days this year following EDR + MDR rollout.
● 常见问题
Dwell Time 是什么?
The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant. 它属于网络安全的 防御与运营 分类。
Dwell Time 是什么意思?
The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant.
Dwell Time 是如何工作的?
Dwell time is the duration between initial intrusion and detection (sometimes broken into 'attacker dwell' until any defender action and 'detection dwell' until first confirmed alert). It is the single most cited efficacy metric in industry incident-response reports — Mandiant's M-Trends, IBM/Ponemon, CrowdStrike — and tracks how successful defenders are at finding adversaries before they finish their objectives. Historically median dwell times were measured in many months (Mandiant reported 416 days in 2011); by 2023–2024 medians had fallen to around 10 days globally for externally-notified incidents and a few days for ransomware-driven cases, both because attackers moved faster (ransomware shifted to days-to-encryption) and because defenders deployed better tooling (EDR, SIEM rule coverage, MDR). Dwell time alone can be misleading — fast detection of a brief intrusion may be worse than slow detection of a long one — so mature programs report it alongside Mean Time to Contain and Mean Time to Recover.
如何防御 Dwell Time?
针对 Dwell Time 的防御通常结合技术控制与运营实践,详见上方完整定义。
Dwell Time 还有哪些其他名称?
常见的别称包括: Attacker dwell time, Compromise-to-detect time。
● 相关术语
- defense-ops№ 735
MTTD(平均检测时间)
从安全事件发生到防御方识别该事件之间的平均经过时间。
- defense-ops№ 734
MTTC(平均遏制时间)
从检测到安全事件到威胁不再能够扩散、外泄数据或造成进一步损害的状态之间的平均时间。
- defense-ops№ 737
MTTR(平均响应时间)
从检测到安全事件到针对该事件启动有效响应行动之间的平均时间。
- defense-ops№ 736
MTTR(平均恢复时间)
在安全事件或服务中断之后,将受影响的系统和服务恢复至正常运行所需的平均时间。
- forensics-ir№ 582
事件响应
针对网络安全事件进行准备、检测、分析、遏制、根除和恢复并总结经验教训的有组织流程。
- defense-ops№ 1267
威胁狩猎
基于假设的主动搜索,深入遥测数据,发现绕过现有检测的威胁。