Threat Actors' Dwell Time Reduced to 24 Days, FireEye Reports


FireEye, the intelligence-led security company, published the FireEye Mandiant M-Trends 2021 report. The FireEye-owned forensic specialist’s M-Trends 2021 report was compiled from investigations of targeted attack activity between October 1, 2019, and September 30, 2020. This year’s report outlines critical details on the latest attacker methodologies and malware, the growth of multifaceted extortion and ransomware, preparing for expected UNC2452 / SUNBURST threat actors, growing insider threats, and industry targeting trends. 

“UNC2452, the threat actor responsible for the SolarWinds supply chain attack, reminds us that a highly-disciplined and patient actor cannot be underestimated. This actor’s attention paid to operational security, counter forensics, and even counterintelligence set it apart from its peers. Defense against this actor will not be easy, but it is not impossible. We have learned a great deal about UNC2452 in recent months, and we believe that intelligence will be our advantage in future encounters," said Sandra Joyce, Executive Vice President, Global Threat Intelligence, Mandiant.

Over the past decade, Mandiant has noticed a trending reduction in global median dwell time (defined as the duration between the start of a cyber intrusion and when it is identified). The researchers revealed that 59% of organizations detected attackers within their own environments over the period, a 12-percentage point increase on the previous year. The speed at which they did so also increased: dwell time for attackers inside corporate networks fell below a month for the first time in the report’s history, with the median global figure now at 24 days.

This is in stark contrast to the 416 days it took firms when the report was first published in 2011. It's also more than twice as fast as the previous year (56 days) and shows that detection and response are moving in the right direction. For incidents notified to firms externally, the figure was slightly higher (73 days) and for internally detected attacks it was lower (12 days). In America, dwell time dropped from 60 days in 2019 to just 17 days last year, while in APAC (76 days) and EMEA (66 days) the figure increased slightly. 

The top five most targeted industries, in order, are Business and Professional Services, Retail and Hospitality, Financial, Healthcare and High Technology. Mandiant experts observed that organizations in the Retail and Hospitality industry were targeted more heavily in 2020 – coming in as the second most targeted industry compared to 11th in last year’s report. 

Healthcare also rose significantly, becoming the third most targeted industry in 2020, compared to eighth in last year’s report. This increased focus by threat actors can most likely be explained by the vital role the healthcare sector played during the global pandemic.

However, a major contributing factor to the global reduction in dwell time may be the escalation of ransomware attacks, which usually take place over a shorter time frame than traditional cyber-espionage or data theft operations.