The public is learning more about the dwell time in the cyber-attack against Equifax, and the dwell time may have been longer than first reported. Dwell time is the number of days that a threat lives in a system before detection according to the definition from Armor Defense Inc.  It is disastrous if data is lost, but severely catastrophic if threat-actors can linger and pivot to other vulnerable parts of the system.  Equifax’s security team identified suspicious activity on July 29, 2017.  Security measures were activated. In Equifax’s update on September 15, 2017, the vulnerability in Apache Struts was disclosed in March, recalculating the dwell time of 100 days or more, which is twice the global average of 42 days.  How to leverage dwell time?  An organization may participate is ethical hacking exercises with the goal identifying its “number” of days.  As exercises increase in difficulty, the “number” of days should decrease with in-house expertise, employee training, awareness programs and threat intelligence. A current challenge in detecting cyber-attacks is skilled personnel.  False positives are misleading security alerts and are investigated, diminishing urgency of positive alerts.

^{Resources:
Cole, E. “Detect, Contain and Control Cyberthreats.” SANS Institute Reading Room, SANS Institute, 2015 June, https://www.sans.org/reading-room/whitepapers/analyst/detect-control-cyberthreats-36187. Accessed 19 September 2017.
“Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes.” Equifax, 15 September 2017, https://www.equifaxsecurity2017.com/. Accessed 19 September 2017.
SentinelOne. “Ponemon Institute Identifies High Dwell Average Time for Financial and Retail Businesses.” 16 October 2016, https://www.sentinelone.com/blog/ponemon-institute-identifies-dwell-time-financial-retail-businesses/. Accessed 19 September 2017.}