taa22 - stock.adobe.com

Median threat actor ‘dwell time’ dropped during 2021

Security teams appear to be getting better at detecting attackers within their networks, according to a report

Cyber attack dwell times – the length of time that malicious actors spend in a victim environment before being detected – dropped from 24 days in 2020 to 21 days in 2021, according to intelligence released today by Mandiant, collated from incidents to which it responded.

The headline statistic would seem to show that defenders have in general significantly improved their threat detection and response postures, as Mandiant Intelligence executive vice-president Sandra Joyce observed, several positive from previous years continued into 2021.

“We see several improvements despite an incredibly challenging threat landscape,” said Joyce. “This M-Trends report has the lowest global media dwell time on record. Additionally, APAC [Asia-Pacific] and EMEA [Europe, Middle East and Africa] showed the largest improvements in several threat detection categories compared to previous years.”

Nevertheless, the positive news is tempered by the certainty that threat actors continue to innovate and adapt, and Mandiant suggested that the pervasiveness of ransomware attacks during 2021 might also partly explain the decline – financially-motivated ransomware operators have a tendency to cut to the chase much quicker than other threat actors, it said.

Indeed, during 2021, Joyce said Mandiant encountered “more threat groups than any previous period”.

“In a parallel trend, in this period we began tracking more new malware families than ever before. Overall, this speaks to a threat landscape that continues to trend upward in volume and threat diversity,” she said. “We also continue to witness financial gain be a primary motivation for observed attackers.”

Last year, Mandiant started tracking over 1,100 new threat groups and 733 new malware families, of which 86% were not publicly available – another ongoing trend among threat actors seems to be to restrict access to, or privately develop their tools.

Ransomware operators in particular are turning to more multifaceted tactics, techniques and procedures (TTPs) in pursuit of a big pay out, and 2021 saw them increasingly exploit weaknesses in virtualisation infrastructure in large organisations.

“Multifaceted extortion and ransomware continue to pose huge challenges for organisations of all sizes and across all industries, with this year’s M-Trends report noting a specific rise in attacks targeting virtualisation infrastructure,” said Mandiant executive vice-president of service delivery, Jurgen Kutscher.

“The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organisations successfully navigate an attack and quickly return to normal business operations.”

Supply chain attacks were also increasingly in favour as a means of initial compromise, rising from less than 1% of the observed total in 2020 to 17% in 2021, although by far the biggest infection vector remains the exploitation of zero-day vulnerabilities, which were seen in 37% of incidents, while phishing accounted for 11%, which was significantly down.

“While exploits continue to gain traction and remain the most frequently identified infection vector, the report notes a significant increase in supply chain attacks. Conversely, there was a noticeable drop in phishing this year, reflecting organisations’ improved awareness and ability to better detect and block these attempts,” observed Kutscher.

“In light of the continued increased use of exploits as an initial compromise vector, organisations need to maintain focus on executing on security fundamentals – such as asset, risk and patch management.”

Finally, the report also notes a realignment and retooling of cyber espionage operations emanating from China – which possibly aligns with the implementation of the country’s 14th Five-Year Plan last year.

Looking ahead, organisations should be on guard for a likely increase in attacks originating from China-nexus actors. Unlike Russia-nexus intelligence-led operations, and destructive cyber attacks against infrastructure, such as recent cyber attacks in support of the war on Ukraine, Chinese operations tend to target intellectual property and strategically important economic concerns.

Read more about supply chain attacks

Read more on Hackers and cybercrime prevention