Hackers operating inside a network were discovered far more quickly in 2021 than just a year earlier, new data showed.
The global median number of days an attacker was present in a target’s environment before being detected--referred to as the median dwell time––decreased by nearly 13 percent to 21 days in 2021, according to cybersecurity provider Mandiant’s newly released M-Trends 2022 report.
Median dwell time in the U.S. remained constant at 17 days, Mandiant said in the report, which tracked investigation metrics between October 1, 2020 and December 31, 2021. When calculated by geographic region, Asia Pacific (AP) had the steepest decline in median dwell time, a 72 percent drop to 21 days from 76 days in 2020. By comparison, median dwell time also slid in the Europe, Middle East and Africa (EMEA) region to 48 days from 66 the prior year.
MSSPs are a significant piece of the puzzle to identifying hacking in progress, although not in the Americas. In EMEA and APAC the majority of intrusions in 2021 were identified by external third parties (62% and 76%, respectively), such as MSSPs. In the Americas, most intrusions were detected internally by organizations themselves (60%).
In general, Mandiant said its data showed that although significant progress has been made in threat detection and response, adversaries are rapidly innovating and adapting to hit targets in lucrative environments.
Additional findings from the study include:
- Exploits remained the most frequently identified initial infection vector, far ahead of phishing. Of the incidents that Mandiant responded to, 37% started with the exploitation of a security vulnerability while phishing accounted for only 11%.
- Supply chain compromises increased dramatically, from less than 1% in 2020 to 17% in 2021.
- Business and professional services and financial were the top two industries targeted by adversaries (14% each), followed by healthcare (11%), retail and hospitality (10%) and tech and government (both at 9%).
- Multifaceted extortion and ransomware attackers are using new tactics, techniques and procedures (TTPs) to deploy ransomware rapidly and efficiently throughout business environments. The pervasive usage of virtualization infrastructure in corporate environments has made it a prime target for ransomware attackers.
“There was a noticeable drop in phishing this year, reflecting organizations’ improved awareness and ability to better detect and block these attempts,” said Jurgen Kutscher, Mandiant service delivery executive vice president. “In light of the continued increased use of exploits as an initial compromise vector, organizations need to maintain focus on executing on security fundamentals, such as asset, risk and patch management.”