Median dwell time--when hackers first infiltrate a network to when the victim identifies the attack--has dropped dramatically from one year in 2011 to 24 days in 2020, security provider FireEye Mandiant calculated in its latest M-Trends 2021 report.
In 2019, the median dwell time was more than double (56 days) that of 2020, an indication that organizations have advanced development and improved their detect and response capabilities, the security specialist said in the report’s 12th edition, crafted to provide cyber defenders with critical knowledge to outwit and outperform attackers.
Americas organizations led the internal detection trend line at 61%, followed by EMEA and APAC at 53% and 52%, respectively. Also of note, median dwell time in the Americas tumbled from 32 days to nine days, making it the first time a geographic region has dipped into single digits. A factor not to be missed that helped drive down the time between initial infection and discovery is the skyrocketing number of ransomware and other extortion attacks plaguing organizations worldwide that are self-identified by the attackers.
“Nation states taking a cyber espionage approach to COVID research, threat groups working together to achieve their objectives, exploitation of quickly adopted work from-home strategies and a wake-up call for global supply chain compromise–experiences in 2020 will shape security policies for years to come,” the report said.
Some data and themes from the report:
- 59% of the security incidents investigated by Mandiant last year were initially detected by the organizations themselves, a 12% climb from the prior year.
- Ransomware has evolved into multifaceted extortion where actors deploy ransomware encryptors across victim environments and use a variety of tactics to coerce victims into paying ransoms.
- FIN11, a recently named financially motivated threat group, was responsible for widespread phishing campaigns that conducted several multifaceted extortion operations.
- In 2020, the top five most targeted industries, in order, are business and professional services, retail and hospitality, financial, healthcare and technology.
- Organizations in the retail and hospitality industry were targeted more heavily in 2020, ranking as the second most targeted industry compared to 11th the prior year.
- Healthcare was the third most targeted industry in 2020, compared to eighth in 2019, likely explained by the global pandemic.
“While business and professional services has been in the top five most targeted industries since 2016, we believe the sudden boost in business services necessary for remote working has made this industry the most targeted in 2020 by cyber criminals and state-sponsored threat actors,” said Jurgen Kutscher, Mandiant service delivery executive vice president.
While many of the cybersecurity and cyber attack trends FireEye Mandiant saw in 2020 aren’t new, they have reached new “levels of sophistication and proportion,” the report said. “Security organizations need to continue to be prepared for ongoing escalations with threat actors and deal with changes to their own environment and attack surface. While much has stayed the same, we are seeing a continued evolution of past trends that requires security teams to remain vigilant, adapt and evolve.”