Even now, it might take you weeks, at least, to detect a cyber intrusion, research finds

A study of hundreds of such intrusions indicates that detection capabilities are improving but are still far from ideal amid growing threats. In 2020, the global average time to identify a breach was 24 days, down from 56 days the previous year. It took an average of over a year in 2011, FireEye said     

Photo: Bigstock

Amid a surge of threats, the continued development and improvement of organizational detection and response capabilities has resulted in a reduction in the average time for identifying cyber intrusions, according to a new report by cybersecurity company FireEye.

The FireEye Mandiant M-Trends 2021 report, which analyzes hundreds of cyber intrusions, outlines trending attacker techniques and malware, the proliferation of multifaceted extortion and ransomware, preparing for expected UNC2452/ SUNBURST copycat threat actors, growing insider threats, plus pandemic and industry targeting trends, according to the company. 

"Multifaceted extortion and ransomware are the most prevalent threats to organizations," said Charles Carmakal, Senior Vice President and Chief Technology Officer, Mandiant. "Data theft and reselling of unauthorized access to victim organizations remain high as multifaceted extortion and ransomware actors have trended away from purely opportunistic campaigns in favor of targeting organizations that are more likely to pay large extortion demands. Given this surge, organizations must take proactive action to mitigate the potential impact."

Over the past decade, Mandiant, a part of FireEye, has observed a reduction in global median dwell time, defined as the duration between the start of a cyber intrusion and when it is identified. This measure went from over one year in 2011 to just 24 days in 2020 – more than twice as quickly identified in comparison to last year’s report with a median dwell time of 56 days. Mandiant attributes this reduction to continued development and improvement of organizational detection and response capabilities, along with the surge of multifaceted extortion and ransomware intrusions, the company said. 

Median dwell time trends varied by region. The Americas continued to decrease. The Americas median dwell time for incidents discovered internally improved the most – dropping from 32 days down to only nine days – marking the first time a region has dipped into single digits. Conversely, APAC and EMEA experienced an overall increase in median dwell time, which Mandiant experts believe to be influenced by a greater number of intrusions with dwell times extending beyond three years, as compared to the Americas.

While last year’s report noted a drop in internal detections of intrusions compared to the previous year, Mandiant experts observed a return of organizations independently detecting most of their own incidents. Internal incident detection rose to 59% in 2020 – a 12-point increase compared to 2019. This return to organizations detecting the majority of intrusions within their environments is in line with the overall trend observed over the last five years.

Notably, internal detection was on the rise across all regions year-on-year. Organizations located in the Americas led the internal detection trendline at 61%, followed by EMEA and APAC at 53% and 52%, respectively. In comparison, APAC and EMEA organizations received more notifications of compromise from external entities, versus organizations in the Americas, FireEye said.

The top five most targeted industries, according to the company, are business and professional services, retail and hospitality, finance, healthcare, and high technology.

“We have continued to see a ‘wolf in sheep’s clothing’ trend where threat groups and cyber criminals rely on publicly available tools introduced in different stages of a compromise. The usage of public or commercially available tools, often used by red teams and penetration testers, allows the threat actor to blend in with security testing. It also makes attribution more complex," said Charles Carmakal, Senior Vice President and Chief Technology Officer, Mandiant.

"In this year’s report, 24% of the intrusions analyzed involved BEACON usage, which is a commercial tool, part of the Cobalt Strike software platform, commonly used for pentesting network environments. We have observed BEACON being used by a wide range of named threat groups," he added.

Organizations also face increasing threats from exploits, said Jurgen Kutscher, Executive Vice President, Service Delivery, Mandiant. "While phishing remains a preferred vector by cyber threat actors, we saw more actors leveraging exploits to compromise victims. The increase in exploit usage should remind organizations to have a more robust plan for patching product vulnerabilities. One of the challenges here is identifying what sources and information are available to make better risk-based decisions when prioritizing what systems and applications to patch now and what to patch at a later stage based on current knowledge about exploitation and targeting by threat actors."