Attacker's dwell time dips, but new threats on the rise: Report

As hard as organisations are working to shore up security for supply chain and hybrid operations, cybercriminals are working just as diligently to adapt new techniques to target and infiltrate organisations’ IT environments.  

That’s according to cybersecurity firm Mandiant’s M-Trends report 2022, which details how multiple threat actors are often found in victim environments. According to Mandiant, more than one distinct threat group was identified in a compromised IT environment for a quarter of the company’s investigations. That is a trend Mandiant expects to increase, possibly due to various threat actors working in collaboration — suggesting a strong and interlinked mesh of cybercriminal activities across the globe.  

Another major shift in 2021 was the increased role of vulnerable software and the increasing exploitation of supply chains to find new targets. Supply chain compromises surged in 2021, representing about 17% of intrusions, compared with only 1% during 2020. The vast majority of compromises stemmed from the SolarWinds attack, which accounted for 86% of intrusions from supply chains. By contrast, phishing attacks fell by more than half, to 11% from 23% of initial infection vectors.   

In addition, Mandiant report showed that new malware families effective on Linux increased to 11% in 2021 compared to 8% in 2020. The report also details new threats from China, which includes 36 unique Chinese threat groups, many of which are targeting the US organisations and agencies.  

Sandra Joyce, executive vice president of Mandiant Intelligence, said in a statement that several trends from previous years continued into 2021, leading to the firm encountering more threat groups and malware families than any ever before. “Overall, this speaks to a threat landscape that continues to trend upward in volume and threat diversity,” Joyce said.  

The report, based on investigational metrics between October 1, 2020 and the end of 2021, however, draws a silver lining on the cybersecurity landscape stating that the global cyberattacks were discovered faster over the past year, driven largely by a rise in ransomware and increased use of third-party cybersecurity firms in Europe and the Asia-Pacific region.  

Also read: Devs believe data privacy, disinformation chief challenges for metaverse

The global median dwell time, which measures the number of days a cyberattack goes undetected, fell to 21 days last year, down from 24 days in 2020, the report.   

The decrease was dramatic in the Asia-Pacific region, where median dwell time dropped sharply to 21 days from 76 days. Dwell times fell in Europe, the Middle East and Africa (EMEA) declined to 48 days versus 66. In those regions, third-party sources detected the majority of cyberattacks, reversing a previous trend.  

In contrast, in the US, median dwell times remained flat at 17 days, and 60% of intrusions were caught directly by company security teams, instead of outside firms or external sources.  

A reduction in dwell time is critical today, because the longer a threat actor is undetected inside a corporate or government network, they will stay longer within the system to steal proprietary data, compromise credentials and access emails.   

Overall, multifaceted extortion and ransomware continue to pose huge challenges for organisations of all sizes and across all industries, with this year’s M-Trends report noting a specific rise in attacks targeting virtualisation infrastructure, said Jurgen Kutscher, Executive Vice President, Service Delivery, Mandiant.   

“The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organisations successfully navigate an attack and quickly return to normal business operations,” he said.