Ransomware operators achieve encryption in days, but maintain network access for weeks. APT groups persist for months, conducting periodic reconnaissance and staging operations while remaining undetected. This extended presence, known as dwell time, creates a vulnerability window where attacks can be stopped. Traditional detection systems miss the individual malicious sessions during this period because attackers space them far enough apart to avoid volume-based alerts while using techniques that appear operationally normal.
The median dwell time for ransomware in 2025 dropped to four days from initial compromise to encryption. This metric, however, measures only the final positioning phase. Operational dwell time, the period attackers maintain access before executing their final objectives, often extends weeks or months. Play ransomware operators, for example, gain unauthorized access via compromised credentials and trigger malware only after weeks of maintaining presence.
Advanced persistent threats demonstrate even longer timelines. APT dwell times average 95 days, with some campaigns persisting over a year. The SolarWinds breach remained undetected for over a year. Chinese hacking group Volt Typhoon maintained access to critical infrastructure systems for up to five years in some cases.
Why attackers maintain persistent access
Extended dwell time serves strategic purposes. Attackers use this period to conduct periodic reconnaissance sessions that map environments, validate credentials through spaced authentication attempts, identify valuable data through incremental file server access, stage exfiltration infrastructure across multiple sessions, establish persistence mechanisms without triggering rate limits, and wait for optimal impact timing. The key characteristic: these activities occur in discrete sessions spaced days or weeks apart, not in continuous operations.
Ransomware operators conduct reconnaissance through intermittent sessions during the dwell period. On Monday, they enumerate Active Directory structures. Thursday, they identify backup systems. The following Tuesday, they locate sensitive data repositories. Each session uses valid credentials, occurs during business hours, generates normal traffic volumes, and completes within typical timeframes. Spacing these sessions prevents any single day from showing unusual reconnaissance volume.
This spacing proves effective against traditional detection. When BlackCat operators exfiltrated multiple terabytes gradually over weeks, they conducted staging in sessions separated by days. Each individual staging session transferred moderate data volumes using approved protocols during business hours. No single session triggered volume alerts. The cumulative exfiltration over weeks accomplished the objective while evading detection systems optimized for high-volume transfers or continuous activity.
APT groups employ similar tactics. They conduct reconnaissance sessions spaced across weeks, each session probing different infrastructure segments. On one day, they enumerate user accounts. A week later, they scan for internal vulnerabilities. Another week passes before they access file servers to identify intellectual property. Each session, evaluated independently, generates activity patterns consistent with routine IT operations or legitimate security scanning.
How traditional defenses miss spaced sessions
Volume-based detection fails when activity distributes across time. Security teams configure alerts for reconnaissance scans exceeding threshold rates, file access patterns indicating bulk download, authentication attempts suggesting brute force, and network connections showing rapid lateral movement. Attackers defeat these thresholds by conducting the same reconnaissance across multiple sessions days apart, accessing files incrementally through spaced sessions, validating credentials slowly across weeks, and moving laterally with days between connection attempts.
Consider reconnaissance targeting Active Directory. An attacker performs LDAP queries on Monday afternoon: 50 queries enumerating organizational units, 40 queries identifying group memberships, 30 queries discovering service accounts. Total: 120 queries over 45 minutes. Thursday afternoon: similar activity, different organizational units. The following Tuesday: another session completing the enumeration. Each session stays well below the 500-queries-per-hour threshold that triggers alerts. Total reconnaissance achieves comprehensive environment mapping while generating zero alerts.
Baseline-based detection proves equally ineffective. Security systems establish baselines for administrator account behavior, file server access patterns, service account usage, and network scanning activity. Attackers conduct reconnaissance using administrator credentials on Monday. The system observes moderate LDAP query activity within baseline parameters. Thursday's session: same credential, similar query volumes, still within baseline. Traditional detection sees three separate instances of normal administrator activity, not a sustained reconnaissance campaign.
Signature-based tools detect known malware but miss living-off-the-land techniques executed through discrete sessions. PowerShell scripts for Monday's reconnaissance, Windows Management Instrumentation for Thursday's lateral movement probe, legitimate remote access tools for Friday's persistence check, and native backup utilities for next week's data staging all use approved system tools. Each session, occurring days apart, appears as routine administrative activity.
Time-windowed correlation systems attempt to detect attacks by correlating events within defined periods. These systems flag multiple failed login attempts within 15 minutes, rapid file access across servers within an hour, or network scanning completing within 30 minutes. Attackers defeat time-windowed correlation by spacing equivalent activities across days. Five failed login attempts Monday, three Thursday, four the following Tuesday, all using different source IPs and legitimate account names. No time window contains enough activity to trigger correlation rules.
Why individual sessions remain detectable
DeepTempo detects malicious sessions during extended dwell periods by identifying structural patterns in behavioral timelines created within each session, independent of how much time elapses between sessions. Each reconnaissance session, credential validation attempt, data staging operation, or lateral movement probe generates a behavioral timeline with detectable structure. The spacing between sessions does not obscure the structural signatures that reveal intent.
Consider Monday's reconnaissance session. An attacker performs LDAP queries for 45 minutes: systematic enumeration of organizational units, progressive queries from general to specific information, query sequences optimized for intelligence gathering, and targeting patterns revealing privilege escalation intent. This creates a behavioral timeline exhibiting reconnaissance structure. The fact that the next reconnaissance session occurs Thursday rather than Monday afternoon does not change the structural signature present in Monday's session.
The foundation model learns what reconnaissance behavioral timelines look like regardless of when they occur. A reconnaissance session exhibits systematic enumeration patterns, progressive information gathering structure, query optimization for intelligence collection, and access sequences revealing privilege escalation intent. These patterns exist within the session itself. Whether reconnaissance happens in one continuous operation or across five sessions spaced over two weeks, each session exhibits detectable reconnaissance structure.
Data staging demonstrates identical principles. An attacker conducts a staging session Tuesday morning: accesses finance file server, reads 50 sensitive documents, copies files to temporary staging location, and pauses before external transfer. This session creates a behavioral timeline exhibiting staging structure. The fact that the actual external transfer occurs Thursday, or that similar staging sessions repeat next Tuesday and the following Friday, does not affect detection of Tuesday's session. Each staging session exhibits structural patterns revealing collection intent.
The critical distinction: DeepTempo does not detect "a three-week reconnaissance campaign" by correlating Monday's session with Thursday's session with next Tuesday's session. Rather, it detects Monday's reconnaissance session when it occurs, Thursday's reconnaissance session when it occurs, and next Tuesday's session when it occurs. Each detection happens independently based on the structural signature within that session's behavioral timeline.
Credential validation through spaced attempts demonstrates this approach. An attacker tests compromised credentials Monday: authenticates to file server, tests access to multiple directories, validates read permissions on sensitive files, and disconnects. Thursday: same credential, different file server, similar validation pattern. The following Tuesday: authentication to application server, privilege testing. Traditional detection sees three separate instances of normal authenticated access over two weeks. DeepTempo detects three separate credential validation sessions, each exhibiting structural patterns of privilege testing and access boundary probing.
Our test environment results
We deployed DeepTempo in a test environment simulating a three-week ransomware dwell period with spaced sessions. The scenario mirrored documented operator tactics: compromised domain credentials obtained through phishing, reconnaissance conducted through five sessions across Week 1, file server enumeration through eight sessions across Week 2, data staging through twelve sessions across Week 3, sessions spaced 1-3 days apart to avoid volume detection, and total dwell time of 21 days before simulated encryption.
Each individual session stayed within thresholds that traditional detection systems monitor. Monday's reconnaissance: 120 LDAP queries over 45 minutes (threshold: 500/hour). Thursday's enumeration: 35 file servers accessed (threshold: 50/hour). Tuesday's staging: 180MB transferred (threshold: 1GB/session). Every session used valid credentials during business hours with standard protocols.
Traditional detection systems generated zero alerts during the 21-day dwell period. Each session, evaluated independently against volume thresholds, time-based baselines, signature databases, and anomaly detection models, appeared operationally normal. The spacing between sessions prevented any correlation window from containing enough activity to trigger multi-event detection rules.
DeepTempo detected 100% of malicious sessions during the dwell period. Week 1 reconnaissance sessions: 5 sessions conducted, 5 detected through systematic enumeration behavioral timeline structure. Week 2 enumeration sessions: 8 sessions conducted, 8 detected through staging preparation behavioral timeline patterns. Week 3 staging sessions: 12 sessions conducted, 12 detected through collection intent behavioral timeline signatures.
<table> <tr> <th>Period</th> <th>Sessions Conducted</th> <th>Traditional Detection</th> <th>DeepTempo Detection</th> </tr> <tr> <td>Week 1 Reconnaissance</td> <td>5 sessions (spaced 1-2 days)</td> <td>0 detected</td> <td>5/5 detected</td> </tr> <tr> <td>Week 2 Enumeration</td> <td>8 sessions (spaced 1-3 days)</td> <td>0 detected</td> <td>8/8 detected</td> </tr> <tr> <td>Week 3 Staging</td> <td>12 sessions (spaced 1-2 days)</td> <td>0 detected</td> <td>12/12 detected</td> </tr> <tr> <td>Total</td> <td>25 sessions over 21 days</td> <td>0% detection rate</td> <td>100% detection rate</td> </tr> </table>
Detection occurred session by session, not through correlation across the three-week period. Monday's reconnaissance session was detected Monday based on its behavioral timeline structure. Thursday's enumeration session was detected Thursday. Next Tuesday's staging session was detected that same day. The spacing between sessions, designed specifically to evade volume-based and time-windowed detection, had no effect on structural pattern recognition within each session.
What this means operationally
Organizations face a critical detection gap during extended dwell periods. Attackers maintain access for weeks or months, conducting periodic reconnaissance, validation, mapping, and staging sessions while spacing activity to stay below detection thresholds. Traditional systems, optimized for high-volume attacks or continuous suspicious activity, generate zero alerts when malicious operations distribute across time.
The operational advantage of session-level detection proves substantial. Consider a three-week dwell period with 25 malicious sessions. Traditional detection: zero alerts over 21 days, attack proceeds to encryption undetected. Behavioral timeline detection: 25 alerts over 21 days, security teams receive notification after each reconnaissance, enumeration, or staging session. The first Week 1 reconnaissance alert provides 14 days before encryption. Even the final Week 3 staging alert provides multiple days for response.
This addresses the core vulnerability created by extended dwell time. Attackers gain weeks of access specifically because they operate slowly enough to avoid volume alerts, space sessions far enough apart to defeat time-windowed correlation, and legitimately enough to avoid signature matching. Structural patterns within individual sessions remain detectable independent of spacing tactics.
The dwell period represents the window where attacks remain stoppable. Ransomware operators detected during Week 1 reconnaissance cannot complete environment mapping, identify backup systems, or stage exfiltration infrastructure. APT groups detected during initial reconnaissance sessions cannot progress through their intelligence collection phases. Each detected session during the dwell period provides opportunity for response before final attack objectives execute.
Traditional detection philosophies assume malicious activity will cluster temporally or exceed volume thresholds. Sophisticated adversaries understand these assumptions and design their campaigns accordingly. They space sessions to defeat clustering detection. They limit volume to stay under thresholds. They use valid credentials and legitimate tools to avoid signatures. But they cannot make reconnaissance sessions appear structurally like normal administration, staging sessions appear like routine file access, or validation sessions appear like typical authentication. The behavioral timeline structure within each session reveals intent, regardless of how much time separates one session from the next.
MITRE: Reconnaissance, Discovery, Credential Access, Collection
Related reading:
- From packets to patterns: How foundation models detect network threats
- Living off the land: Why your network sees attacks as normal traffic
- The cybersecurity transformation: Building security from first principles with foundation models
- How attackers stay invisible: rotation, encryption, low-volume activity, and identity blending
- Why deep learning beats traditional ML anomaly detection
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
