Organizations and their cyber defenders are getting better at detecting cyber-attacks but detection time still stands at 16 days, according to Google’s Mandiant.
In its 14th annual M-Trends report, published on April 18, 2023, the cybersecurity firm found that 2022 saw a decrease global median dwell time – the time the victim of a cyber-attack takes to detect the intrusion – from 21 days in 2022 to 16 days in 2021.
This is the shortest global median dwell time since Mandiant started recording this metric in 2011.
The decrease can be attributed to cyber defenders getting better, coupled with attackers being brazen than they were in the past, according to Stuart McKenzie, head of Mandiant consulting EMEA.
“In the current climate, notably with the cyber conflict between Russia and Ukraine, they want their victims to detect them quickly, either to pay swiftly, in the case of financially motivated attacks, or to make an impact, in the case of disruptive attacks,” he told Infosecurity.
However, he added that two weeks is still long enough for attackers to do a lot of damage and improvement is still needed.
“Also, dwell time stops when the attack is detected, not remediated. Remediation can still take months, or even years sometimes,” McKenzie said.
The latest M-Trends report also found that ransomware attacks decreased in 2022, accounting for 18% of all intrusions recorded on Mandiant’s telemetry that year, compared to 23% in 2021.
This drop can partially be attributed to the work of law enforcement, McKenzie said. “We’ve seen many ransomware groups having to re-tool following sanctions by the US Treasury Department’s Office of Foreign Assets Control (OFAC), for example,” he recalled.
“The war in Ukraine has also drawn away resources and meant that some groups have been focusing on other things. But we shouldn’t forget, once again, that defenders have improved. Organizations have a more robust cyber posture, thus slowing down ransomware threat actors and pushing them to move from simple phishing techniques to more sophisticated ones, such as compromising credentials and exploiting vulnerabilities,” McKenzie added.
Increased Cyber Espionage
State-sponsored malicious activity, however, spiked in 2022, as previously reported on Infosecurity.
“Mandiant identified extensive cyber espionage and information operations leading up to and since Russia's invasion of Ukraine on February 24, 2022, [and] observed more destructive cyber-attacks in Ukraine during the first four months of 2022 than in the previous eight years,” the report reads.
In 2022, Mandiant began tracking 588 new malware families, the main ones being backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%).
As with previous years, the most common malware family identified by Mandiant in investigations was BEACON, a multi-function backdoor identified in 15% of all intrusions. BEACON has been used by a wide variety of threat groups, including nation-state-backed threat groups attributed to China, Russia and Iran, as well as financial threat groups and over 700 groups tracked by Mandiant as uncategorized threat clusters.
“Now that organizations are getting better at detecting cyber intrusions and remediating cyber-attacks, they also need to make sure they have a holistic program and regularly test their cybersecurity posture with exercises like red and purple teaming, for instance,” McKenzie said.
The findings from the M-Trends report are based on Mandiant consulting investigations of targeted attack activity between January 1, 2022 and December 31, 2022.