Light Dark
June 12, 2023 By Jonathan Reed 4 min read
News

Now for some good news on the cyber front: It looks like we’re winning the global battle over dwell time.

Global median dwell time is calculated as the median number of days an attacker is present in a target’s environment before being detected. And according to a recent Mandiant report, global median dwell time recently dropped to a record low of just over two weeks. This reflects the essential role partnerships and the exchange of information play in building a more resilient cybersecurity ecosystem, according to the report.

Let’s take a deeper look at why dwell times are dropping — and how to drive them even lower. Plus, we’ll explore new malware families, adversary groups and attack techniques described in the Mandiant report.

Driving down dwell time

As per the latest Mandiant M-Trends 2023 report, global median dwell time continued to drop year-over-year — down to 16 days in 2022. This is the shortest median global dwell time ever for M-Trends reporting periods.

Notably, Mandiant identified an improvement in median dwell time when an external entity notified the victim organization. This may indicate that organizations are responding to external notifications more quickly. The report states that there is a growing recognition of the role partnerships and information exchange play in building a resilient cybersecurity ecosystem. But it’s also true that the external notifier might be the threat gang making a ransom demand.

Either way, security partners are improving the critical information contained within external notifications. And this improved information sharing enables organizations to act more effectively rather than having to identify intrusions on their own.

Other factors that decrease dwell time

Most (if not all) security teams are overworked and understaffed. It’s harder than ever to keep up with the ever-expanding threat landscape. Additionally, teams are already busy with day-to-day security operations tasks required in their SOC.

In fact, a third of cyber team leaders report a higher number of absences due to burnout in the months after an attack. Unsurprisingly the stress affects employees, with 54% reporting a negative impact on mental health. And 56% say that their role becomes more stressful each year.

For these reasons, some security teams have pivoted to modernized threat detection and response solutions to help reduce dwell time. These suites are designed to unify the security analyst experience and accelerate responses to live incidents. These solutions use enterprise-grade AI and automation to dramatically increase analyst productivity. Overall, this helps resource-strained security teams work more effectively across core technologies such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR) and Managed Detection and Response (MDR).

Ransomware drops slightly

Is ransomware also on the run? Perhaps slightly. In the new study, Mandiant experts reported a decrease in global investigations involving ransomware between 2021 and 2022. In 2022, 18% of investigations involved ransomware, compared to 23% in 2021.

“While we don’t have data that suggests there is a single cause for the slight drop in ransomware-related attacks that we observed, there have been multiple shifts in the operating environment that have likely contributed to these lower figures,” said Sandra Joyce, VP, Mandiant Intelligence at Google Cloud.

Joyce said some reasons for the drop in ransomware incidents might include:

  • Ongoing government and law enforcement disruption efforts targeting ransomware services and individuals. This may require actors to retool or develop new partnerships.
  • Actors needing to adjust their initial access operations due to the fact that macros may often be disabled by default.
  • Organizations getting better at detecting and preventing or recovering from ransomware events at faster rates.

Threat group motives

Mandiant tracks more than 3,500 threat groups overall. This includes over 900 newly tracked threat groups in the most recent report period. The analysis identified a total of 343 unique threat groups across all intrusions in 2022.

As they get to know a threat group, Mandiant investigators assign a formal motive designation for each group. For the threat groups observed in 2022, Mandiant assessed actor motivations as follows:

  • 48% of threat groups have financially motivated operations
  • 18% are driven by espionage motives
  • 9% have goals like destructive operations, hacktivism and being a nuisance
  • 27% of threat groups’ motivations were not able to be assessed.

New malware proliferation

In 2022, Mandiant began tracking 588 new malware families. As per the report, newly tracked malware equates to nearly 49 new malware families identified per month in 2022. Of the 588 newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%).

Of note, newly tracked credential stealers fell out of the top five categories tracked by Mandiant in 2022. However, in the current report, stolen credentials also appeared for the first time in the most frequently seen intrusion vectors. This finding suggests that threat actors are leveraging previously created credential stealers to obtain stolen credentials.

Mandiant stated it observed an explosion of credential and information stealer-type malware, such as Redline Stealer, Vidar and Recordstealer (aka Redline). These malware groups are typically delivered through search engine optimization abuse and malicious advertisements.

The most common malware family

Like previous years, the most common malware family identified by Mandiant research was BEACON. This is Cobalt Strike’s default malware payload used to create connections to C2 servers. BEACON was identified at 15% of all intrusions analyzed in the report. The BEACON malware is by far the most common variant seen in investigations worldwide.

BEACON has been used by a variety of threat groups, including state-backed groups attributed to China, Russia and Iran. The malware is also used by financially motivated threat actors, including FIN6, FIN7, FIN9, FIN11 and FIN12, and over 700 hundred UNC groups. This popularity is likely due to the wide availability of BEACON along with the malware’s high customizability and ease of use.

New threats continue to evolve

While the drop in dwell time is welcome news, the Mandiant report shows the threat landscape continues to evolve. It’s imperative that security pros keep up with relevant threat intelligence, deploy the right security tools and continue to collaborate with the wider security community.

 |  |  |  |  |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from News
May 13, 2024

Debate rages over DMCA Section 1201 exemption for generative AI

3 min read - The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright. The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”. Now, a fierce debate is brewing over whether to allow…

May 10, 2024

CISA Malware Next-Gen Analysis now available to public sector

2 min read - One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience. In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the…

May 8, 2024

Change Healthcare attack expected to exceed $1 billion in costs

3 min read - The impact of the recent Change Healthcare cyberattack is unprecedented — and so are the costs. Rick Pollack, President and CEO of the American Hospital Association, stated, “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.” In a recent earnings call, UnitedHealth Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature