Global Dwell Time Drops as Ransomware Attacks Accelerate

  /     /     /  
Publicated : 23/11/2024   Category : security


Global Dwell Time Drops as Ransomware Attacks Accelerate


The length of time attackers remain undiscovered in a target network has fallen to 24 days, researchers report, but ransomware plays a role.



Attackers are spending less time inside target networks, researchers report, but the seemingly positive trend hides a concerning development: Ransomware attacks, which by nature have a shorter dwell time, are growing more common and efficient, shrinking the average time frame for all attacks.
In their 2021 M-Trends threat report, Mandiant researchers note the global median dwell time, or the number of days an attacker is in an environment before detection, has fallen to 24 days. While median dwell time has consistently dropped from 416 days in 2011, this years number marks a notable drop, says Steven Stone, senior director of advanced practices at Mandiant.
Half the dwell time went away compared to last year, he notes. The 2020 M-Trends report found a global median dwell time of 56 days, making this years number a significant drop.
This decline could be explained by several factors, including continued improvement in threat detection capabilities, new policies, and higher security budgets. However, the attack landscape plays a critical role. As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019.
A breakdown of dwell time by attack type is more telling. The median dwell time for non-ransomware investigations was 45 days; for ransomware investigations, it was only five. These metrics combined brought the global median dwell time down to its new low of 24 days.
As researchers see more ransomware, they expect dwell time to continue shrinking. After all, the attackers deploying ransomware dont want to remain hidden for very long.
Were seeing ransomware intrusions … move to ransomware much, much quicker than we have in previous years, Stone points out. We think thats clearly a contributing factor.
In the past, ransomware operators would try to get into a target environment and typically spend more time trying to understand it before deploying ransomware at the end. Now they move quickly through the attack cycle. Many have adopted the technique of multifaceted extortion, in which they also threaten to publish stolen data if the ransom isnt paid in time.
It seems attackers are growing more comfortable with ransomware compared with other forms of monetization. This, combined with increasingly higher payouts, is bad news for defenders. Todays ransomware operators are growing more comfortable with negotiating higher sums.
We talk about intrusion like its a machine, but its ultimately people, and people tend to do what theyre most comfortable with, Stone explains. They need a mechanism to monetize the intrusion, and as theyre learning more and more about how to do that with ransomware year over year, theyre getting more comfortable in that space.
What Else Is In Attackers Toolkits?
Of course, ransomware isnt the only threat Mandiant researchers
investigated last year
. Their responses to a range of security intrusions yielded several observations, including a preference for exploits (29%) over phishing attacks (23%) as an initial infection vector. Other common vectors included stolen credentials or brute force (19%) along with prior compromise (12%).
It definitely sticks out to us, Stone says of the rise in exploits. If anything, were seeing that trend accelerate currently. Researchers are already two full quarters into what will be the next M-Trends report, and were actually seeing more exploits than we did when we wrote this report.
There was a time when exploits were dominant, he explains, but they began to trend down as phishing attacks grew. Now theyre back with a vengeance, he says. While researchers arent sure whats driving the trend, Stone notes that exploit usage is different than it was in the past. More exploits are continuously dropping, and there are more groups taking advantage of them.
In the past we would typically see an exploit targeted by one high-end group … now youll see an exploit, and youll see a range of groups in a very quick time frame either using that or converting that once it goes public, he adds.
The presence of offensive security tools in attackers arsenals was another dominant trend. Beacon, a backdoor commercially available as part of the Cobalt Strike platform, was seen in 24% of incidents. Empire, a publicly available PowerShell post-exploitation framework, was seen in 8%. Rounding out the top five were Maze ransomware (5%), Netwalker ransomware (4%), and the Metasploit pen-testing platform (3%).
When they arent using publicly available tools, attackers are relying on privately developed ones: Seventy-eight percent of malware families used in attacks were private; the rest =were public. The trend is consistent across the most advanced groups and lesser-skilled attackers, Stone explains. Many of these tools are easy to use, lowering the cost of entry and empowering attackers.
Were seeing a number of lower-level skillset groups deploy custom malware along with these public tools, he says. That makes incident response very challenging, and I think organizations need to be prepared for that.
One of the groups using Cobalt Strike Beacon is UNC2452, the name Mandiant has given to the group behind the supply chain attack that involved an implant in SolarWinds Orion platform. This is arguably the most advanced group weve ever dealt with, Stone says, and the fact its deploying Beacon is very concerning.
While organizations face new threats, the process of preparing for these types of attacks hasnt changed, he continues.
Be prepared for an intrusion. Be prepared to make smart decisions based on the actual threats youre seeing, says Stone. 
An attack from a group like UNC2452 and a ransomware attack are very different intrusions, he says, and organizations must respond and remediate differently. They have to be able to make the right call for a particular threat, versus a one-size-fits-all approach.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Global Dwell Time Drops as Ransomware Attacks Accelerate