June 12, 2023 By Jonathan Reed 4 min read

Now for some good news on the cyber front: It looks like we’re winning the global battle over dwell time.

Global median dwell time is calculated as the median number of days an attacker is present in a target’s environment before being detected. And according to a recent Mandiant report, global median dwell time recently dropped to a record low of just over two weeks. This reflects the essential role partnerships and the exchange of information play in building a more resilient cybersecurity ecosystem, according to the report.

Let’s take a deeper look at why dwell times are dropping — and how to drive them even lower. Plus, we’ll explore new malware families, adversary groups and attack techniques described in the Mandiant report.

Driving down dwell time

As per the latest Mandiant M-Trends 2023 report, global median dwell time continued to drop year-over-year — down to 16 days in 2022. This is the shortest median global dwell time ever for M-Trends reporting periods.

Notably, Mandiant identified an improvement in median dwell time when an external entity notified the victim organization. This may indicate that organizations are responding to external notifications more quickly. The report states that there is a growing recognition of the role partnerships and information exchange play in building a resilient cybersecurity ecosystem. But it’s also true that the external notifier might be the threat gang making a ransom demand.

Either way, security partners are improving the critical information contained within external notifications. And this improved information sharing enables organizations to act more effectively rather than having to identify intrusions on their own.

Other factors that decrease dwell time

Most (if not all) security teams are overworked and understaffed. It’s harder than ever to keep up with the ever-expanding threat landscape. Additionally, teams are already busy with day-to-day security operations tasks required in their SOC.

In fact, a third of cyber team leaders report a higher number of absences due to burnout in the months after an attack. Unsurprisingly the stress affects employees, with 54% reporting a negative impact on mental health. And 56% say that their role becomes more stressful each year.

For these reasons, some security teams have pivoted to modernized threat detection and response solutions to help reduce dwell time. These suites are designed to unify the security analyst experience and accelerate responses to live incidents. These solutions use enterprise-grade AI and automation to dramatically increase analyst productivity. Overall, this helps resource-strained security teams work more effectively across core technologies such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR) and Managed Detection and Response (MDR).

Ransomware drops slightly

Is ransomware also on the run? Perhaps slightly. In the new study, Mandiant experts reported a decrease in global investigations involving ransomware between 2021 and 2022. In 2022, 18% of investigations involved ransomware, compared to 23% in 2021.

“While we don’t have data that suggests there is a single cause for the slight drop in ransomware-related attacks that we observed, there have been multiple shifts in the operating environment that have likely contributed to these lower figures,” said Sandra Joyce, VP, Mandiant Intelligence at Google Cloud.

Joyce said some reasons for the drop in ransomware incidents might include:

  • Ongoing government and law enforcement disruption efforts targeting ransomware services and individuals. This may require actors to retool or develop new partnerships.
  • Actors needing to adjust their initial access operations due to the fact that macros may often be disabled by default.
  • Organizations getting better at detecting and preventing or recovering from ransomware events at faster rates.

Threat group motives

Mandiant tracks more than 3,500 threat groups overall. This includes over 900 newly tracked threat groups in the most recent report period. The analysis identified a total of 343 unique threat groups across all intrusions in 2022.

As they get to know a threat group, Mandiant investigators assign a formal motive designation for each group. For the threat groups observed in 2022, Mandiant assessed actor motivations as follows:

  • 48% of threat groups have financially motivated operations
  • 18% are driven by espionage motives
  • 9% have goals like destructive operations, hacktivism and being a nuisance
  • 27% of threat groups’ motivations were not able to be assessed.

New malware proliferation

In 2022, Mandiant began tracking 588 new malware families. As per the report, newly tracked malware equates to nearly 49 new malware families identified per month in 2022. Of the 588 newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%).

Of note, newly tracked credential stealers fell out of the top five categories tracked by Mandiant in 2022. However, in the current report, stolen credentials also appeared for the first time in the most frequently seen intrusion vectors. This finding suggests that threat actors are leveraging previously created credential stealers to obtain stolen credentials.

Mandiant stated it observed an explosion of credential and information stealer-type malware, such as Redline Stealer, Vidar and Recordstealer (aka Redline). These malware groups are typically delivered through search engine optimization abuse and malicious advertisements.

The most common malware family

Like previous years, the most common malware family identified by Mandiant research was BEACON. This is Cobalt Strike’s default malware payload used to create connections to C2 servers. BEACON was identified at 15% of all intrusions analyzed in the report. The BEACON malware is by far the most common variant seen in investigations worldwide.

BEACON has been used by a variety of threat groups, including state-backed groups attributed to China, Russia and Iran. The malware is also used by financially motivated threat actors, including FIN6, FIN7, FIN9, FIN11 and FIN12, and over 700 hundred UNC groups. This popularity is likely due to the wide availability of BEACON along with the malware’s high customizability and ease of use.

New threats continue to evolve

While the drop in dwell time is welcome news, the Mandiant report shows the threat landscape continues to evolve. It’s imperative that security pros keep up with relevant threat intelligence, deploy the right security tools and continue to collaborate with the wider security community.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today