Fast Scanning and Dwell Time

Scanning environments quickly isn’t just a nice-to-have, the more I think about it. Attackers move faster than most institutions can process their own telemetry, if that telemetry exists at all. That speed gives attackers an advantage. Focusing only on the initial access vector, where they enter a network, overlooks the fact that almost all harm occurs after access is gained. Once an intruder is inside, time becomes the central variable. Hours wasted on noisy data or on weaknesses that pose no real risk give the intruder more room to complete their objectives.

‍

There is a common belief that finding larger quantities of flaws leads to better security, but what matters is identifying the flaws that actually enable adversary movement inside a network, and doing it quickly. Today security vendors can observe activity across multiple customer environments at once and that is an advantage of a different kind.

‍

One company might detect the early signs of an intrusion. In this case they become the canary that alerts the vendor to the use of that initial access vector, after digital forensics and incident response (DFIR) analysis. If the vendor becomes aware of that compromise they can use the information to help a second company. The second company might already have an intruder present but has not yet had the crown jewels compromised. The interval between those two conditions is the zone where post-compromise defense can still work. Shared intelligence allows defenders to intervene before the second organization reaches the same point of failure and loss as the initial canary organization.

‍

Dwell time measures how long an intruder operates inside a network before detection. Many organizations underweight this factor, even though the risk grows each hour an attacker remains active. Defense has to operate with the speed of an operational process rather than as a slow checklist. Reducing the intruder’s active time in the environment reduces the eventual cost of the breach.

‍

But for this to work, we need faster scanning. We can’t do scanning once a quarter, monthly, and even weekly feels a little slow, because by that point, even if the canary who was initially compromised is known, there is no way to know that the second company is vulnerable. Therefore regular scanning that occurs much faster than traditional vulnerability management companies operate is increasingly important to reduce that dwell time for the second company.

‍

Attention has to shift away from weaknesses that have no practical relevance and toward issues that enable movement inside a compromised network. When detection is fast and when response is guided by real adversary behavior rather than by compliance tasks, the economics change. The attacker’s effort increases and the likelihood of completing their objectives drops.

‍

This approach does not promise perfect security for all customers, to be clear. It means there will always have to be at least one breached company to act as the canary, which is how virtually all lists of KEVs (known exploited vulnerabilities) work, incidentally.

‍

The goal is to change the conditions under which attackers operate. If organizations reduce exposure time from days or weeks to something close to real time, the resulting losses decrease as well. Attackers no longer get extended periods inside a network while defenders work through internal debates about priorities. The strategy is to raise the cost for the intruder and lower the cost for the organization. Even a compromised environment can avoid major damage if the intruder is detected and interrupted before data extraction or system manipulation begins.