# Dwell Analytics [[Dwell Analytics]] is an [[Adversary Research]] capability in Cybersecurity, that measures the time from when an adversary starts an attack to the time it is detected and remediated (dwell). The analysis of dwell and persona definitions provides adversary insights to help inform decisions on where to invest in defenses, detections, and help drive prioritization and SLA's for security defects. As controls are implemented it will provide insights on control effectiveness and detect if adversaries pivot to other areas or methods. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- A[[Adversary Research]] A --- A.1[[Persona Management]] A --- A.2[[Dwell Analytics]] A --- A.3[[Exploit Management]] A --- A.4[[Target Prediction]] A --- A.5[[Adversary Intelligence]] A.2 --- A.2.1[[Dwell Calculation]] A.2.1 --- A.2.2[[Dwell Trending]] A.2.2 --- A.2.3[[Dwell Assessment]] A.2.3 --- A.2.4[[Dwell Insights]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class A.2 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!success] Definition > Dwell Analytics is the analysis of dwell and adversary personas to discover insights on adversary activity. These insights help inform security investment decisions and how changes in your environment affect adversaries behaviors. ## Goals >[!cm-goal] Goal 1 > ** Measure Dwell ** - the ability to measure of dwell for each persona and track how adversary behavior changes over time. > [!cm-goal] Goal 2 > **Dwell Insights** - provide adversary insights through analysis of the dwell to highlight spikes and drop offs of adversary activity to support business decisioning and prioritization. >[!cm-goal] Goal 3 > ** Measure Control Effectiveness ** - the ability to measure security control effectiveness based on adversary activity. Outcomes should show if adversary activity slowed, increased, or moved to another area of the attack surface. ## Scope The scope of Dwell Analytics covers all known adversaries that may be interested in your organizations assets or applications. Your initial scope should start with known adversaries, and then expand to finding the less/unknown adversaries in your environment. Dwell should be measured at both the adversary persona and asset level. ## Process (add attack surface) ```mermaid flowchart LR A1[Adversary<br/>Persona Catalog] --> B[1. Map Events/Alert<br />To Personas] A2[Ingest Events<br/>and Alerts] --> B B --> C[1. Calculate<br />Dwell] C --> D[2. Evaluate Dwell<br />Trends] D --> E[3. Identify High<br />Dwell Areas] E --> F[Share Dwell<br />Insights] E -.->| Repeat | B ``` ## Metrics >[!cm-metric] Metric: Average Dwell per persona >[!cm-metric] Metric: Average Organizational Dwell (MoM) >[!cm-metric] Metric: Average Organizational Dwell (YoY) >[!cm-metric] Metric: % Adversary Activity Visbility >[!cm-metric] Metric: % Adversary Traffic vs Total Traffic ## Inspiration & Resources + https://news.sophos.com/en-us/2023/08/23/active-adversary-for-tech-leaders/ + https://blog.gigamon.com/2022/02/09/eliminating-adversaries-dwell-time-advantage/ + [Attacker Dwell Time: Ransomware's Most Important Metric (darkreading.com)](https://www.darkreading.com/cyber-risk/attacker-dwell-time-ransomware-s-most-important-metric) + [SANS Security Awareness Blog Post | Security Awareness Metrics – What to Measure and How](https://www.sans.org/blog/security-awareness-metrics-what-to-measure-and-how/) ## Release Notes + [[Q2 2024 Release#Document Dwell Analytics for Adversary Research]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.