June 12, 2023 By Jonathan Reed 4 min read

Now for some good news on the cyber front: It looks like we’re winning the global battle over dwell time.

Global median dwell time is calculated as the median number of days an attacker is present in a target’s environment before being detected. And according to a recent Mandiant report, global median dwell time recently dropped to a record low of just over two weeks. This reflects the essential role partnerships and the exchange of information play in building a more resilient cybersecurity ecosystem, according to the report.

Let’s take a deeper look at why dwell times are dropping — and how to drive them even lower. Plus, we’ll explore new malware families, adversary groups and attack techniques described in the Mandiant report.

Driving down dwell time

As per the latest Mandiant M-Trends 2023 report, global median dwell time continued to drop year-over-year — down to 16 days in 2022. This is the shortest median global dwell time ever for M-Trends reporting periods.

Notably, Mandiant identified an improvement in median dwell time when an external entity notified the victim organization. This may indicate that organizations are responding to external notifications more quickly. The report states that there is a growing recognition of the role partnerships and information exchange play in building a resilient cybersecurity ecosystem. But it’s also true that the external notifier might be the threat gang making a ransom demand.

Either way, security partners are improving the critical information contained within external notifications. And this improved information sharing enables organizations to act more effectively rather than having to identify intrusions on their own.

Other factors that decrease dwell time

Most (if not all) security teams are overworked and understaffed. It’s harder than ever to keep up with the ever-expanding threat landscape. Additionally, teams are already busy with day-to-day security operations tasks required in their SOC.

In fact, a third of cyber team leaders report a higher number of absences due to burnout in the months after an attack. Unsurprisingly the stress affects employees, with 54% reporting a negative impact on mental health. And 56% say that their role becomes more stressful each year.

For these reasons, some security teams have pivoted to modernized threat detection and response solutions to help reduce dwell time. These suites are designed to unify the security analyst experience and accelerate responses to live incidents. These solutions use enterprise-grade AI and automation to dramatically increase analyst productivity. Overall, this helps resource-strained security teams work more effectively across core technologies such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR) and Managed Detection and Response (MDR).

Ransomware drops slightly

Is ransomware also on the run? Perhaps slightly. In the new study, Mandiant experts reported a decrease in global investigations involving ransomware between 2021 and 2022. In 2022, 18% of investigations involved ransomware, compared to 23% in 2021.

“While we don’t have data that suggests there is a single cause for the slight drop in ransomware-related attacks that we observed, there have been multiple shifts in the operating environment that have likely contributed to these lower figures,” said Sandra Joyce, VP, Mandiant Intelligence at Google Cloud.

Joyce said some reasons for the drop in ransomware incidents might include:

  • Ongoing government and law enforcement disruption efforts targeting ransomware services and individuals. This may require actors to retool or develop new partnerships.
  • Actors needing to adjust their initial access operations due to the fact that macros may often be disabled by default.
  • Organizations getting better at detecting and preventing or recovering from ransomware events at faster rates.

Threat group motives

Mandiant tracks more than 3,500 threat groups overall. This includes over 900 newly tracked threat groups in the most recent report period. The analysis identified a total of 343 unique threat groups across all intrusions in 2022.

As they get to know a threat group, Mandiant investigators assign a formal motive designation for each group. For the threat groups observed in 2022, Mandiant assessed actor motivations as follows:

  • 48% of threat groups have financially motivated operations
  • 18% are driven by espionage motives
  • 9% have goals like destructive operations, hacktivism and being a nuisance
  • 27% of threat groups’ motivations were not able to be assessed.

New malware proliferation

In 2022, Mandiant began tracking 588 new malware families. As per the report, newly tracked malware equates to nearly 49 new malware families identified per month in 2022. Of the 588 newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%).

Of note, newly tracked credential stealers fell out of the top five categories tracked by Mandiant in 2022. However, in the current report, stolen credentials also appeared for the first time in the most frequently seen intrusion vectors. This finding suggests that threat actors are leveraging previously created credential stealers to obtain stolen credentials.

Mandiant stated it observed an explosion of credential and information stealer-type malware, such as Redline Stealer, Vidar and Recordstealer (aka Redline). These malware groups are typically delivered through search engine optimization abuse and malicious advertisements.

The most common malware family

Like previous years, the most common malware family identified by Mandiant research was BEACON. This is Cobalt Strike’s default malware payload used to create connections to C2 servers. BEACON was identified at 15% of all intrusions analyzed in the report. The BEACON malware is by far the most common variant seen in investigations worldwide.

BEACON has been used by a variety of threat groups, including state-backed groups attributed to China, Russia and Iran. The malware is also used by financially motivated threat actors, including FIN6, FIN7, FIN9, FIN11 and FIN12, and over 700 hundred UNC groups. This popularity is likely due to the wide availability of BEACON along with the malware’s high customizability and ease of use.

New threats continue to evolve

While the drop in dwell time is welcome news, the Mandiant report shows the threat landscape continues to evolve. It’s imperative that security pros keep up with relevant threat intelligence, deploy the right security tools and continue to collaborate with the wider security community.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today