Skip to Content

How long can malware go undetected?

0 Comments

Malware, short for “malicious software”, refers to any software that is intentionally designed to cause damage to a computer, server, client, or computer network. Malware comes in many forms, including viruses, worms, Trojan horses, ransomware, spyware, adware, and more. One of the biggest challenges in cybersecurity is detecting malicious software before it can infect systems and cause harm. But how long can malware actually remain undetected on a system before being discovered?

How Malware Spreads

To understand how long malware can go undetected, it helps to first understand the various ways that malware spreads. Malware can infect systems and networks through:

  • Email attachments – Malware is often spread through email attachments that contain infected files. When the attachment is opened, the malware can install itself and infect the system.
  • Infected websites – Visiting compromised websites can trigger malware downloads through browser exploits or by getting users to download infected files from the site.
  • Software vulnerabilities – Unpatched software vulnerabilities can allow malware to spread by exploiting those holes to infect systems.
  • Removable media – Malware can spread through infected USB drives, CDs, DVDs, and other removable media that are plugged into a computer.
  • Network drives – Malware can use network shares and drives to move laterally within an organization’s network.

These varied infection vectors allow malware to spread quickly and silently. And since malware is constantly evolving, new delivery methods are always emerging. This makes malware difficult to detect because it can infiltrate networks and systems in many clever ways.

Evasion Techniques

Modern malware is often designed to explicitly avoid and evade detection by security solutions. Some of the common techniques malware uses to remain undetected include:

  • File obfuscation – Encrypting or packing malware files to avoid signature detection.
  • Environment checks – Probing the environment and avoiding execution if certain AV processes or tools are detected.
  • Timing delays – Waiting days or weeks after infiltration before executing payloads.
  • Targeting blind spots – Exploiting parts of a network not well monitored by security tools.
  • Masquerading – Impersonating legitimate applications and files to avoid raising suspicion.
  • Anti-analysis – Detecting and blocking forensic analysis attempts.
  • Traffic obfuscation – Blending malicious network traffic in with normal traffic to dodge network detection.
  • Encryption – Using encryption and secure protocols to conceal malicious communications.

Advanced malware will often use a combination of these and other stealthy techniques to avoid triggering alerts and being discovered.

Dwell Time

“Dwell time” refers to the duration malware remains present and active within a network before being detected and eliminated. Longer dwell times mean malware has more opportunity to access sensitive data, spread, and cause damage. So what are some typical malware dwell times?

  • The 2021 SonicWall Cyber Threat Report found the average global malware dwell time to be 7 days.
  • The Mandiant 2021 M-Trends Report found median global dwell times of 21 days.
  • Research by FireEye in 2020 reported dwell times ranging from over 60 days to up to over 240 days across various regions.
  • IBM’s 2021 Cost of a Data Breach Report calculated an average dwell time of 212 days before a data breach is discovered.

These numbers illustrate how contemporary malware can lurk for weeks or even months before detection. Without speedy detection and remediation, malware has ample windows to achieve criminal ends. However, dwell times tend to vary significantly based on the sophistication of the malware and the effectiveness of the target’s security defenses.

Factors Affecting Malware Dwell Time

Several factors influence how long malware can remain undetected within an environment:

  • Deployment of anti-malware software – Whether antivirus, anti-malware, endpoint detection, or other security tools are present and properly detecting threats.
  • Frequency of scanning – How regularly devices and systems are scanned. Frequent scans make earlier detection more likely.
  • Use of network monitoring – Monitoring network activity for connections to C2 servers and other IOCs can accelerate detection.
  • Timeliness of signature updates – Out-of-date signature files increase time to detect new variants.
  • Visibility into remote access – Gaps in visibility into VPNs, VDIs, or cloud access can slow detection.
  • Promptness of patch management – Unpatched software provides an open door for more exploits.
  • Level of staff cybersecurity training – Well-trained staff may spot suspicious activity quicker.
  • Adoption of zero trust model – More rigorous verification and compartmentalization limit malware movement.

Organizations that follow cybersecurity best practices are better equipped to discover malware faster after infection. However, organizations with security gaps and deficient processes offer prime ground for malware to operate unimpeded for longer periods.

Malware-as-a-Service

One growing trend that can prolong malware dwell times is the offering of malware-as-a-service. Underground cybercriminal groups have begun selling malware kits, custom malware development, and ongoing malware operations as a service. This enables even low-skilled threat actors to easily deploy sophisticated malware without needing to have extensive technical skills.

Some features of malware-as-a-service include:

  • Access to malware builders that generate payloads with anti-detection and anti-analysis features.
  • Builders that convert malware into formats difficult for security tools to analyze.
  • Pre-developed malware kits available for purchase or rent.
  • Request custom malware tailored for specific targets.
  • Services to deploy malware directly into target networks.
  • Command and control servers to manage malware post-infection.
  • Help desk services for assistance operating the malware.
  • Subscription models for long-term access and support.

By turning malware delivery into an on-demand service, dwell times for modern malware operations can be extended. The sophistication and constant updating provided by malware services make detection more difficult across extended infection campaigns.

Impact of Undetected Malware

The risks and consequences of undetected malware grow the longer infections persist. Potential impact includes:

  • Lateral movement – Spreading through networks to infiltrate more systems and escalate privileges.
  • Data exfiltration – Stealing and extracting sensitive files and information over time.
  • Covert surveillance – Monitoring network activity and capturing credentials.
  • Foothold for attacks – Providing backdoor access for future intrusions.
  • Malware updates – Updating to more damaging variants.
  • Ransomware detonation – Triggering ransomware payloads.
  • Service disruption – Impairing infected systems and causing outages.
  • Reputation damage – Causing PR problems after a breach becomes public.

The longer malware stays hidden, the more systems it infects and the more carnage it potentially unleashes. Prompt detection and remediation is key to limiting harm.

Improving Malware Detection

Given the risks undetected malware poses, organizations should continuously strive to shorten their dwell times. Steps that can improve malware detection include:

  • Using layered next-gen and endpoint security tools.
  • Frequently updating malware signatures and detection rules.
  • Performing regular and comprehensive network scans.
  • Scanning for IOCs from threat intelligence.
  • Monitoring endpoints for suspicious activity.
  • Promptly patching detected vulnerabilities.
  • Following the principle of least privilege access.
  • Providing cybersecurity awareness training.
  • Developing an incident response plan.
  • Conducting penetration testing and red team exercises.
  • Employing strict change management processes.

Reducing dwell time requires constant vigilance, robust security architecture, and mature risk management. But the payoff is limiting the harm from infections and avoiding costly breaches.

Conclusion

Modern malware employs many techniques to avoid and delay detection, enabling dwell times averaging from weeks to months. Longer dwell times lead to greater system infiltration, data and credential theft, and business disruption. While specific dwell times depend on malware sophistication and target security, averages often exceed 60 days across impacted organizations. By using layered security defenses, vigilantly monitoring for IOCs, and promptly applying patches and fixes, businesses can detect and remove malware much faster. Shortened dwell times translate to reduced business risk and costs in the event of a malware infection.

By Author Resto NYC

Posted on  - Last updated:

Categories Blog