The Dwell Time Dilemma: How Dwell Time Fuels Network Sprawl

Despite billions spent on cybersecurity, threat actors continue to operate undetected inside of networks for extended periods, carrying out devastating attacks.

According to the 2025 Global Threat Landscape Report, threat actors had access to systems, prior to a ransomware incident, for an average of two weeks. However, recent cybersecurity incidents prove that this number can far exceed the average, stretching into years. For enterprises managing critical infrastructure, financial systems, or sensitive intellectual property, shrinking that time is essential to minimize the effects of cyberattacks. 

What is Dwell Time?

Dwell time is the span of time in which a threat actor goes undetected inside a compromised network — from the point of initial access until their presence is discovered and the threat is eliminated. 

The longer an attacker dwells, the greater the potential for damage. This time enables threat actors to conduct comprehensive reconnaissance, privilege escalation, lateral movement across systems, and the systemic identification and theft of an organization’s most sensitive data.

And the strategic implications are severe. Operational disruption, regulatory penalties, erosion of stakeholder trust, and financial impact scale with the duration of the compromise.

Threat Actors Leverage Dwell Time to Advance Their Objectives 

Dwell time varies based on attacker objectives and sophistication, ranging from a quick instant, to several hours, to many years.

High-speed attackers can move from initial compromise to high-value assets in seconds, utilizing high-impact approaches designed for fast, destructive results.

The most severe compromises, however, often involve longer dwell times. During these longer dwell times, the attacker has the luxury of time to become fully embedded in its victim’s network. With that prolonged access, they can systematically map critical infrastructure, identify dependencies, and get into position for maximum disruption.

Consider the threat group Volt Typhoon. Over the last year, nearly a quarter of organizations we surveyed said Volt Typhoon was detected in their networks. These threat actors make themselves invisible to the organization they’re breaching, remaining undetected for extended periods — sometimes years. With this approach, Volt Typhoon has compromised 23 pipeline operators, as well as water/wastewater systems, communications, transportation, manufacturing, and government groups.

Threat actors like Volt Typhoon use a number of different tactics to conceal their activities, making it easier to extend their dwell time and progress methodically through each stage of their attack without detection.

Identity Compromise

Threat actors often use valid business accounts, compromising identities to gain access and move laterally undetected. Our findings indicate that compromised credentials or brute-force attacks are among the most common initial points of entry for attackers targeting a given organization (12%). Once inside the network, attackers can easily reach data and systems across the enterprise while looking like a typical user.

Encryption

Attackers also hide behind encrypted communications. Threat actors routinely weaponize standard encryption protocols –TLS, SSH, and encrypted DNS– to tunnel malicious commands, move laterally across systems, mask malicious payloads, and exfiltrate sensitive data. At the same time, they evade security detection, as their traffic looks just like that of legitimate business communications.

Network Gaps

According to our data, the public cloud, third-party services and integrations, and generative AI applications represent the most significant cybersecurity risks to organizations. Attackers often take advantage of blind spots across these environments to remain covert. 

The public cloud provides massive scale that allows malicious activity to blend in with legitimate user and system traffic; third-party services furnish attackers with established, authorized credentials (like API tokens) to operate as a trusted entity; and generative AI applications introduce novel security blind spots that facilitate attacks masked as routine user interaction, collectively creating persistent and difficult-to-detect opportunities for threat actors.

Lateral Movement Extends Dwell Time and its Impact

Lateral movement is the engine that extends dwell time. Lateral movement refers to the stage of an attack in which a threat actor is able to move from the initially compromised system to other systems deeper within the network, ultimately reaching high-value targets.

During this phase, attackers are able to transform a minor breach into full-scale infiltration, leading to widespread compromise. Activities include:

• Hunting for the Crown Jewels: While moving laterally, attackers quietly map the network, identify critical assets, study network hierarchies, and locate servers that hold financial records, intellectual property, and personally identifiable information. 
• Escalating Privileges: By moving from a low-profile workstation to an internal server, where an administrator recently logged in, for example, attackers can steal high-value credentials to get closer to their target.
• Establishing Persistence and Maximizing Impact: Attackers move laterally to establish multiple backdoors on various systems and servers. If one access point is discovered and cut off, they can simply use another path, ensuring that they maintain access and prolong their total time inside the network as much as possible. The more that they can continue moving laterally, the greater number of resources they can compromise.

How to Detect Lateral Movement

The ultimate objective for defenders is to drive dwell time toward zero by catching the adversary early in the attack sequence. Attackers are most active and therefore most detectable during the critical lateral movement phase, which provides ample opportunity to shrink that breach window.

Successfully capitalizing on this, however, requires the organization to deploy specific visibility and security toolsets that can monitor and analyze internal network and endpoint activity for anomalous behaviors.

Exposing Internal Reconnaissance Activities

Attackers actively use compromised identities, encryption, and network blind spots to hide, move slowly, and evade detection while conducting internal reconnaissance. 

To expose evasive threats, security teams must analyze East-West (internal) traffic for anomalous data flows. This requires deep visibility, including protocol decryption, to see through encryption, and identity mapping to track compromised users, effectively closing network blind spots that enable long dwell times.

This level of detection requires:

• Establishing a behavioral baseline so that it is easy to tell when activity deviates from normal patterns.
• Decrypting traffic to expose hidden threats and evasive techniques, like data flows and command-and-control communications that power lateral movement.
• Identifying attackers abusing protocols like LDAP to enumerate Active Directory (AD) users.

Automatically classifying crown jewels to get alerts on connection attempts by new or low-privilege devices.

Countering Privilege Escalation

Attackers then turn to escalating privileges to gain deeper system access. One common way attackers do this is through the use of stolen credentials, which makes it easier for them to reach previously inaccessible systems and data repositories completely undetected. Successfully combating privilege escalation requires security teams to detect, follow, and investigate credential misuse in real-time by:

• Analyzing Kerberos and NTLM authentication traffic, which can reveal subtle indicators malformed requests, out-of-sequence authentication attempts, and Pass-the-Hash attacks.
• Tracking user identities -not IP addresses– to establish a persistent chain of custody and accurately map the attack path.
• Proactively hunting for threats and validating suspicious patterns before they escalate.

Establishing Persistence and Containing Impact

Attackers often establish persistence through a “Living-Off-The-Land” approach, weaponizing trusted administrative tools –Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), and PowerShell– to blend in with routine operations. Detecting and containing the impact of these tactics means establishing what normal looks like –which devices communicate, which users access which systems, and how administrative tools are typically used– and ensuring they have policies in place when these activities are detected by:

• Enforcing access policies that flag and block the use of remote services between devices that have never communicated before, serving as built-in checks for backdoors and insider threats.
• Correlating detections and investigations via forensics and analytics that help to map the full blast radius of an attack.
• Enabling automated response capabilities to isolate compromised systems and minimize total dwell time.

Seizing the Moment to Detect Lateral Movement and Minimize Dwell Time

The ability to detect and contain lateral movement is not merely an advantage; it is a non-negotiable factor that directly governs adversary dwell time and determines the ultimate scale of a breach.

The network –where attackers attempt to shift across systems, escalate privileges, and establish persistence– offers defenders a definitive and measurable opportunity to level the playing field.

It’s no longer about merely preparing for inevitable network compromise, but ensuring that defenders possess the visibility and speed required to seize this decisive moment and minimize the attacker’s window of opportunity.