Security Experts:

Breaches Detected Faster, But Ransomware Surge a Major Factor: FireEye

Data from FireEye’s Mandiant incident response division shows that the time it takes organizations to detect a malicious hacker attack continues to drop, but it’s not only due to better threat detection capabilities. 

According to Mandiant, the surge in ransomware attacks, which are meant to be noisy and detected, is partially the reason for shorter dwell times observed in live attacks over the last year. 

The data show that organizations are getting better at detecting intrusions on their own but Mandiant says that while “continued development and improvement of organizational detection capabilities” is one factor, a “major factor” was the surge in ransomware attacks, which increased from 14% in 2019 to 25% in 2020. 

In the case of ransomware attacks, they are typically detected quickly since the attackers often make their presence known when they demand a ransom, after they have encrypted the victim’s files and/or have stolen the victim’s data.

In the ransomware attacks investigated by Mandiant, 78% had a dwell time of 30 days or less, and only 1% of these incidents had a dwell time of 700 days or more.

The data was part of Mandiant’s new M-Trends 2021 report, which is based on investigations conducted by the company between October 2019 and September 2020 (this timeframe is referred to as 2020 in the report). 

According to Mandiant, 59 percent of the breaches investigated globally during this period were detected internally. In comparison, in 2019, 47 percent were discovered internally. 

Dwell time -- this is the number of days an attacker is present in the target’s environment before they are discovered -- also decreased significantly in 2020 compared to the previous year, from 56 days to 24 days. Taken separately, in the case of external breach notifications the median dwell time in 2020 was 73 days, while in the case of internal detection the dwell time was only 12 days.

Interestingly, the median global dwell time was just 5 days for ransomware, and 45 days for non-ranswomare investigations conducted by Mandiant.

Overall, the global median dwell time has decreased constantly over the past decade, from 416 days in 2011 to 24 in 2020. 

However, the report (PDF) also shows some significant regional differences when it comes to dwell time. For instance, dwell times in the Americas dropped from 60 days in 2019 to 17 days in 2020, but more than 27 percent of incidents investigated in this region involved ransomware. 

“The large number of investigations which involved ransomware undoubtedly drove down the median dwell time. Ransomware incidents in the Americas had a median dwell time of just three days and accounted for 41% of incidents with a dwell time of 14 days or fewer,” Mandiant said in its report.

In contrast, the median dwell time in the APAC region increased from 54 days in 2019 to 76 days in 2020, but this region also saw a decrease in ransomware-related incidents. The EMEA region also saw an overall increase in dwell time, from 54 days in 2019 to 66 days in 2020.

In addition to dwell times, the M-Trends 2021 report covers new extortion techniques used by ransomware gangs, the phishing and extortion campaigns conducted by a cybercrime group named FIN11, the threat group behind the SolarWinds supply chain attack, and malicious actors shifting focus to systems that support remote work. 

In terms of attack tactics, Mandiant found that attackers used 63 percent of MITRE ATT&CK techniques and 24 percent of sub- techniques throughout the analyzed time frame. However, the company said, just 37 percent of the techniques observed (23 percent of all techniques) were seen in more than 5 percent of the intrusions it investigated.

Editor’s Note: M-Trends is one of a few reports that SecurityWeek considers required reading, as the data is compiled from actual incidents, not vendor surveys using questions crafted to skew results in favor of selling something. In other words, this is real-world data with details discovered during the process of investigating incidents across hundreds of clients, many from high profile organizations.

Register for SecurityWeek's Threat Intelligence Summit (May 25-26)

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.