Dwell Time and the Cyber Kill Chain

If you’re in Information Security, you likely know about the Cyber Kill Chain articulated by Lockheed Martin. The Kill Chain represents the lifecycle of a threat (the process the threat actor conducts) from beginning to end. In this model, phases 4 through 7 represent the opportunity security teams have to disrupt the threat actor’s efforts.

Though the characteristics of each threat and movement through the process will be unique, each threat must be looked at in its entirety.

FIGURE 4 - Lockheed Martin Cyber Kill Chain.

This is a fundamental premise for why Armor believes that Dwell Time must be representative of the entire period that a threat is present within an organization and represents risk, from the time the threat successfully penetrates network defenses to the time the threat is completely removed from the environment.

Even during any response phase, the threat actor may still have an opportunity to perform
Actions on Objectives, making it critical to add this time into the overall calculation for Dwell Time.

FIGURE 5 - Threat Actor’s Process vs. Security Defender’s Process.