Attacker dwell time dips, but firms grapple with ransomware, zero day attacks

Despite the efforts of organizations to strengthen their cybersecurity strategies, cybercriminals are equally determined to develop new techniques to target and infiltrate their IT environments. In its recently published 'M-Trends 2024 Special Report,' cybersecurity company Mandiant said that while median dwell time – the time between when an attacker accesses a victim's system and when the attack is detected – has substantially decreased, which is a positive sign, ransomware and other new attack techniques have gone up, leaving organisations vulnerable. 

The report, based on Mandiant Consulting investigations conducted in 2023, revealed that the global median dwell time for attackers reached its lowest point since the company began tracking this metric in 2011. Dwell time, which refers to the number of days an attacker remains undetected in an environment, decreased by almost a week, dropping from 16 days in 2022 to 10 days last year.

Mandiant's report also indicated an improvement in internal detection of intrusions in 2023, with the global median falling to nine days compared to 13 days the previous year. These long-term trends of declining median dwell time and increasing rates of internal discovery of compromises demonstrate that organizations have made significant and measurable advancements in their defensive capabilities.

The report highlighted a positive development in the form of an increase in compromises detected internally by targeted organizations. These internal detections accounted for 46% of all intrusions in 2023, compared to 37% in 2022. This suggests that detection capabilities are continuously improving across organizations, enabling security teams to identify threat actors during the initial stages of an attack, such as the infection and reconnaissance phases.

However, Mandiant witnessed a rise in ransomware incidents in 2023. Investigations related to ransomware increased to 23% last year, compared to 18% in 2022. The report stated, "This brings the percentage of intrusions linked to ransomware back to its previous level in 2021."
In addition to the slight increase in attacks, Mandiant also highlighted that identifying intrusions involving ransomware took longer than attacks without ransomware. The company noted that in 70% of ransomware incidents, targeted organizations were notified by external parties, primarily through ransom demands from the attackers.

A Chainalysis 2024 Report published in February also said that 2023 marks a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks. Ransomware payments in 2023 surpassed the $1 billion mark, the highest number ever observed. Although 2022 saw a decline in ransomware payment volume, the overall trend line from 2019 to 2023 indicates that ransomware is an escalating problem, it said. 

“The ransomware landscape is not only prolific but continually expanding, making it challenging to monitor every incident or trace all ransom payments made in cryptocurrencies. It is important to recognize that our figures are conservative estimates, likely to increase as new ransomware addresses are discovered over time. For instance, our initial reporting for 2022 showed $457 million in ransoms, but this figure has since been revised upward by 24.1%,” Chainalysis researchers said.

However, Mandiant also reported some positive trends. The report stated, "Intrusions involving ransomware were detected within six days when the notification came from an internal source, compared to 12 days in 2022." It further mentioned that defenders were informed about ransomware-related intrusions by external parties within five days in 2023, which was two days quicker than the previous year.

The researchers have cautioned that threat actors across the board have intensified their focus on evasion techniques, primarily by exploiting zero-day vulnerabilities. In 2023, when the initial intrusion vector was discovered, an exploit was detected 38% of the time. Mandiant has continued to observe both cyber espionage and financially motivated attackers utilizing zero-day vulnerabilities for their operations.

Mandiant highlighted that the most widespread zero-day vulnerability in 2023 was CVE-2023-34362, a critical flaw in Progress Software's MoveIt Transfer managed file transfer product. Emsisoft estimated that attacks impacted over 2,000 MoveIt Transfer customers.
Although Chinese cyber espionage groups exploited the most zero days in 2023, Mandiant cautioned that such threats are no longer limited to nation-state actors and are no longer considered a niche capability.

In addition to zero-day vulnerabilities, the report highlighted that attackers are also adopting other methods to avoid detection, such as employing living off-the-land tactics. These tactics involve threat actors using legitimate products and existing tools within a targeted environment to move laterally and gain access to sensitive data.