Mandiant Report: Intrusion Dwell Time Sees Decline
A recently released report from Mandiant is showing a decrease in dwell time but fears over cyber espionage efforts persist
First the good news: Enterprises are learning about the security breaches that affect them sooner. The bad news? That earlier detection is partially due to a function of the nature of the attacks, including an increase in ransomware attacks.
These findings are according to the Mandiant M-Trends 2022 report, which also found that the global median dwell time—which is what Mandiant calls the median number of days an attacker is within a target’s environment before being spotted—fell to 21 days in 2021 from 24 days in 2020. The report, which was published this week, is based on investigations tracked by the company between Oct. 1, 2020, and Dec. 31, 2021.
Over the past decade, Mandiant’s median dwell time has fallen considerably. In 2011, the median dwell time was more than a year. In 2019, the median dwell time was 56 days. Mandiant attributes the drop in the past few years to both improvements in enterprise detection and response and the increase in ransomware attacks. It makes sense, after all: If attackers are focused on stealing trade secrets, they want to remain hidden. But if it’s an extortion attack, they need to make themselves known.
This is why ransomware has a significantly lower median dwell time than non-ransomware attacks. This year, Mandiant also identified multifaceted extortion and ransomware attackers using new tactics, techniques and procedures in its ransomware attacks, including the targeting of virtualization.
This year’s report also identified geographic differences in the median dwell time. The APAC region saw the biggest decline, falling to 21 days in this year’s report, compared to 76 days in 2020. The EMEA also fell, but not as far: from 66 days in 2020 to 48 days in 2021. While the Americas median dwell time didn’t fall in this year’s report, it was an enviable number, at 17 days.
Additionally, the majority of attacks are detected by third parties (think law enforcement, partners, customers, etc.) in the EMEA and APAC—62% and 76%, respectively. The Americas again remained unchanged, with 60% of intrusions detected internally.
This year’s M-Trends report also found software exploits to be the most common point of initial infection. According to Mandiant, 37% started with such an exploit, while 11% were the result of phishing attacks. Successful supply chain compromises rose dramatically, up to 17% this year from 1% last year.
Also, Mandiant found business and professional services and financial services were the top industries targeted, at 14% each. They were followed by health care (11%), retail and hospitality (10%), and tech and government (both at 9%).
This is little changed from last year’s report, which found the top five targeted industries to be business and professional services, retail and hospitality, financial, health care, and high technology.
Mandiant also identified China’s cyber espionage changes and warns that changes in the nation’s priorities could mean an increase in China-aligned threat actors targeting intellectual property and other strategically important economic information, in addition to concerns in the defense industry and technologies that can be used in defense.