June 12, 2023 By Jonathan Reed 4 min read

Now for some good news on the cyber front: It looks like we’re winning the global battle over dwell time.

Global median dwell time is calculated as the median number of days an attacker is present in a target’s environment before being detected. And according to a recent Mandiant report, global median dwell time recently dropped to a record low of just over two weeks. This reflects the essential role partnerships and the exchange of information play in building a more resilient cybersecurity ecosystem, according to the report.

Let’s take a deeper look at why dwell times are dropping — and how to drive them even lower. Plus, we’ll explore new malware families, adversary groups and attack techniques described in the Mandiant report.

Driving down dwell time

As per the latest Mandiant M-Trends 2023 report, global median dwell time continued to drop year-over-year — down to 16 days in 2022. This is the shortest median global dwell time ever for M-Trends reporting periods.

Notably, Mandiant identified an improvement in median dwell time when an external entity notified the victim organization. This may indicate that organizations are responding to external notifications more quickly. The report states that there is a growing recognition of the role partnerships and information exchange play in building a resilient cybersecurity ecosystem. But it’s also true that the external notifier might be the threat gang making a ransom demand.

Either way, security partners are improving the critical information contained within external notifications. And this improved information sharing enables organizations to act more effectively rather than having to identify intrusions on their own.

Other factors that decrease dwell time

Most (if not all) security teams are overworked and understaffed. It’s harder than ever to keep up with the ever-expanding threat landscape. Additionally, teams are already busy with day-to-day security operations tasks required in their SOC.

In fact, a third of cyber team leaders report a higher number of absences due to burnout in the months after an attack. Unsurprisingly the stress affects employees, with 54% reporting a negative impact on mental health. And 56% say that their role becomes more stressful each year.

For these reasons, some security teams have pivoted to modernized threat detection and response solutions to help reduce dwell time. These suites are designed to unify the security analyst experience and accelerate responses to live incidents. These solutions use enterprise-grade AI and automation to dramatically increase analyst productivity. Overall, this helps resource-strained security teams work more effectively across core technologies such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR) and Managed Detection and Response (MDR).

Ransomware drops slightly

Is ransomware also on the run? Perhaps slightly. In the new study, Mandiant experts reported a decrease in global investigations involving ransomware between 2021 and 2022. In 2022, 18% of investigations involved ransomware, compared to 23% in 2021.

“While we don’t have data that suggests there is a single cause for the slight drop in ransomware-related attacks that we observed, there have been multiple shifts in the operating environment that have likely contributed to these lower figures,” said Sandra Joyce, VP, Mandiant Intelligence at Google Cloud.

Joyce said some reasons for the drop in ransomware incidents might include:

  • Ongoing government and law enforcement disruption efforts targeting ransomware services and individuals. This may require actors to retool or develop new partnerships.
  • Actors needing to adjust their initial access operations due to the fact that macros may often be disabled by default.
  • Organizations getting better at detecting and preventing or recovering from ransomware events at faster rates.

Threat group motives

Mandiant tracks more than 3,500 threat groups overall. This includes over 900 newly tracked threat groups in the most recent report period. The analysis identified a total of 343 unique threat groups across all intrusions in 2022.

As they get to know a threat group, Mandiant investigators assign a formal motive designation for each group. For the threat groups observed in 2022, Mandiant assessed actor motivations as follows:

  • 48% of threat groups have financially motivated operations
  • 18% are driven by espionage motives
  • 9% have goals like destructive operations, hacktivism and being a nuisance
  • 27% of threat groups’ motivations were not able to be assessed.

New malware proliferation

In 2022, Mandiant began tracking 588 new malware families. As per the report, newly tracked malware equates to nearly 49 new malware families identified per month in 2022. Of the 588 newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%).

Of note, newly tracked credential stealers fell out of the top five categories tracked by Mandiant in 2022. However, in the current report, stolen credentials also appeared for the first time in the most frequently seen intrusion vectors. This finding suggests that threat actors are leveraging previously created credential stealers to obtain stolen credentials.

Mandiant stated it observed an explosion of credential and information stealer-type malware, such as Redline Stealer, Vidar and Recordstealer (aka Redline). These malware groups are typically delivered through search engine optimization abuse and malicious advertisements.

The most common malware family

Like previous years, the most common malware family identified by Mandiant research was BEACON. This is Cobalt Strike’s default malware payload used to create connections to C2 servers. BEACON was identified at 15% of all intrusions analyzed in the report. The BEACON malware is by far the most common variant seen in investigations worldwide.

BEACON has been used by a variety of threat groups, including state-backed groups attributed to China, Russia and Iran. The malware is also used by financially motivated threat actors, including FIN6, FIN7, FIN9, FIN11 and FIN12, and over 700 hundred UNC groups. This popularity is likely due to the wide availability of BEACON along with the malware’s high customizability and ease of use.

New threats continue to evolve

While the drop in dwell time is welcome news, the Mandiant report shows the threat landscape continues to evolve. It’s imperative that security pros keep up with relevant threat intelligence, deploy the right security tools and continue to collaborate with the wider security community.

More from News

DHS: Guidance for AI in critical infrastructure

3 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology.In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into focus…

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today