Things Matt Wrote


If you do a Google search for the term “Felony Lane Gang”, you will get “about 2,860,001” results. That’s a little more than a bunch. Most of them appear to be news reports with titles such as,“Felony Lane Gang targets Moms”, “EPD arrests woman they say is part of the Felony Lane Gang”, or “Felony Lane Gang Ramping Up Again”. The commonality of these reports is the generalization that all of these bad actors have a familial connection. The news reporters and journalists undoubtedly get this bent from those of us in law enforcement and financial industry security who flippantly suggest the connection. We casually suggest the conspiracy by referring to every group who steals bags and cashes checks through the far drive-through teller lane as “the Felony Lane Gang”. Singular. As if they are all connected like a crime family or neighborhood sect of a national gang.

They are not. And we should stop doing this.

“The” Felony Lane Gang did exist. They were a group from Florida that traveled the east coast and were eventually arrested and prosecuted in the Middle District of Pennsylvania. My home bailiwick. Many of us remember this case, and I’m sure that a few readers of this newsletter were involved in the investigation and prosecution of the case. It was brilliant work. Here is one of the press releases from 2014 that I could find still online

The method of operation (MO) was to steal purses and bags from unattended vehicles, then disguise themselves as the victims, and cash the checks through the far lane of the bank drive-through. The distance of the far lane made it more difficult, and sometimes impossible, for the teller to discern the actual identity of the driver presenting the check. The thief just had to look closely enough. The farthest lane of the drive-through has become known as the “Felony Lane”.


Over the past year, “Dwell Time” has become part of the American lexicon. The term, when used in the scope of infectious disease, is the measurement of time a disinfectant needs to remain wet on a surface to properly disinfect. The quicker a disinfectant solution kills pathogens and sanitizes a surface the better it works. The Covid-19 pandemic has made most of us experts in disinfectants.

The concept of dwell time is also important in the field of information and computer network security. Dwell time is the length of time a threat actor is active, while undetected, within a network. It is the measurement of time from breach to detection. Obviously, the longer the adversary lives in the environment the more time they have to steal data and damage systems. The ultimate goal of every security team is to reduce adversary dwell time to the least amount of time possible. A dwell time of ZERO is the ideal.

Security software and threat prevention company Sophos released a report titled “The Active Adversary Playbook 2021”. The report is well written and has garnered some attention within cybersecurity media and practitioners. One of the more prominent and celebrated points made by the report is a median adversary dwell time of eleven (11) days. I immediately winced when I read this claim. I'm not an expert by any means, but that number seemed way off. Particularly since Fireeye estimated the average dwell time to be 56 days in their 2020 M-Trends report. Did the security industry get that much better in just a year?