Mandiant: Orgs are detecting cybercriminals faster than ever

The average time taken by global organizations to detect cyberattacks has dropped to its lowest-ever level of ten days, Mandiant revealed today.

The cyber shop says the downward trend continues from last year’s 16 days and should be seen as “a big victory for the good guys,” but a deeper look into the underlying data shows there are still some obvious issues at play.

For one, the regional breakdown in the infosec giant’s latest M-Trends report, released today, shows the new all-time low (median) average of ten days is skewed by data in previously under-achieving regions.

JAPAC, for example, dropped its average dwell time to nine days, which is below the current global median – great stuff – but last year the region’s average was 33 days, more than double the global figure, which JAPAC unfavorably skewed.

EMEA also reported a worse year-on-year dwell time of 22 days compared to 20 days in 2022. Mandiant says the small increase over last year’s figures, which were the lowest ever recorded for the region, could be due to data normalizing after Mandiant’s work in Ukraine.

Also, in 14 percent of investigations, researchers found EMEA dwell times fell into the “five years or less” category. The category below captures dwell times of “one year or less,” illustrating the scale of intrusions that go undetected for extended periods of time.

Data in the Americas was unchanged – the average dwell time in the region remained at ten days, the same as 2022’s results. 

Mandiant made it clear early in its report that although attackers’ dwell time is decreasing, it’s still not good enough to prevent the very best in the business from achieving their goals.

Its own red teamers are able to achieve their objectives within five to seven days, it said, and given that equally capable enemies are carrying out their attacks regularly, these times need to drop if the number of successful attacks are too.

Mandiant also included more ransomware cases in its data this year, five percent more in fact. It may have influenced the global dwell time downward trend since it said ransomware intrusions are typically detected faster than other types.

Google Cloud’s cyber defense arm didn’t go into much detail about what other types of attacks were included in its analysis, other than to say it evaluated the findings from every one of its investigations into targeted attacks in 2023.

These could encompass all manner of attacks involving data theft, malware, the exploitation of zero-days, cyber espionage – a hot topic of late that Mandiant has been involved in, and of course ransomware.

On average, a ransomware incident is detected within five days, almost twice as quickly as last year (nine days). Granted, this is quicker when looking at the number of external detections (five days) than internal ones (six days).

What Mandiant means by the two types of detections:

  • Internal detection: Cybersecurity tools doing their jobs, detecting malicious activity and compromises. Also includes reports made by well-educated staff spotting suspicious activity

  • External detection: When a source outside an organization first informs it about a compromise. This can encompass a broad range of entities, including law enforcement, cybersecurity researchers, industry partners, or cybercriminals themselves

Intrusions without ransomware’s involvement are detected comparably slower, but are done so more efficiently using internal resources (nine days) than relying on external entities (20 days). 

Overall, the time taken to detect ransomware has fallen across the board and across all detection types. Mandiant says this generally suggests defenders are improving their detection capabilities.

However, the proportion of incidents detected internally is still outweighed by organizations’ reliance on outside sources alerting them to issues, highlighting the importance of industry partners to the security ecosystem. 

Less than half (46 percent) of intrusions are detected using an organization’s own resources, compared to 54 percent of targets first learning about their incidents from outsiders, Mandiant says.

The reliance on friends – and foes – is down on 2022’s average of 63 percent, but discounting last year, the last time Madiant recorded a larger dependence on external sources was 2014. 

There have been a good few years in between but over the long term, internal intrusion detections by organizations themselves haven’t improved a great deal.

All the blame shouldn’t fall on defenders, though, since attackers are always becoming more sophisticated in the way they conduct their operations, continually finding fresh ways around security controls.

“Attackers regularly adjust their tactics, techniques, and procedures in order to achieve their objectives, which can be challenging for defenders,” said Jurgen Kutscher, vice president of Mandiant Consulting at Google Cloud. “Despite this, our frontline investigators have learned that organizations have done a better job in 2023 at protecting systems and detecting compromises.

“Defenders should be proud, but organizations must remain vigilant. A key theme throughout M-Trends 2024 is that attackers are taking steps to evade detection and remain on systems for longer, and one of the ways they accomplish this is through the use of zero-day vulnerabilities. This further highlights the importance of an effective threat hunt program, as well as the need for comprehensive investigations and remediation in the event of a breach.”

A combined report from Mandiant and Google’s Threat Analysis Group (TAG) last month revealed a 56 percent yearly increase in the number of exploited zero-days by offensive actors in cyberspace.

The pace at which zero-days are being developed for enterprise-specific software also appears to be outpacing that of end-user platforms with a yearly increase of 64 percent.

“Over the years we’ve learned that the quicker we discover and patch attackers’ bugs, the shorter the lifespan of the exploit, and the more it costs attackers to maintain their capabilities,” its report [PDF] read. 

“We as an industry must now learn how to take those lessons learned and apply them to the wider ecosystem of vendors that are now finding themselves under attack.”

For the coming year, Mandiant expects defenders to be especially troubled by the upwards trend in zero-day exploits, as well as by a general increase in the work that attackers are putting in to evade security measures. 

Attackers are also expected to increase attacks on edge devices and other tech where orgs typically struggle to apply robust detection.

“We will continue to share our frontline knowledge in M-Trends to improve our collective security awareness, understanding, and capabilities,” Mandiant said. ®

READ MORE HERE