Now for some good news on the cyber front: It looks like we’re winning the global battle over dwell time.

Global median dwell time is calculated as the median number of days an attacker is present in a target’s environment before being detected. And according to a recent Mandiant report, global median dwell time recently dropped to a record low of just over two weeks. This reflects the essential role partnerships and the exchange of information play in building a more resilient cybersecurity ecosystem, according to the report.

Let’s take a deeper look at why dwell times are dropping — and how to drive them even lower. Plus, we’ll explore new malware families, adversary groups and attack techniques described in the Mandiant report.

Driving Down Dwell Time

As per the latest Mandiant M-Trends 2023 report, global median dwell time continued to drop year-over-year — down to 16 days in 2022. This is the shortest median global dwell time ever for M-Trends reporting periods.

Notably, Mandiant identified an improvement in median dwell time when an external entity notified the victim organization. This may indicate that organizations are responding to external notifications more quickly. The report states that there is a growing recognition of the role partnerships and information exchange play in building a resilient cybersecurity ecosystem. But it’s also true that the external notifier might be the threat gang making a ransom demand.

Either way, security partners are improving the critical information contained within external notifications. And this improved information sharing enables organizations to act more effectively rather than having to identify intrusions on their own.

Other Factors that Decrease Dwell Time

Most (if not all) security teams are overworked and understaffed. It’s harder than ever to keep up with the ever-expanding threat landscape. Additionally, teams are already busy with day-to-day security operations tasks required in their SOC.

In fact, a third of cyber team leaders report a higher number of absences due to burnout in the months after an attack. Unsurprisingly the stress affects employees, with 54% reporting a negative impact on mental health. And 56% say that their role becomes more stressful each year.

For these reasons, some security teams have pivoted to modernized threat detection and response solutions to help reduce dwell time. These suites are designed to unify the security analyst experience and accelerate responses to live incidents. These solutions use enterprise-grade AI and automation to dramatically increase analyst productivity. Overall, this helps resource-strained security teams work more effectively across core technologies such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR) and Managed Detection and Response (MDR).

Ransomware Drops Slightly

Is ransomware also on the run? Perhaps slightly. In the new study, Mandiant experts reported a decrease in global investigations involving ransomware between 2021 and 2022. In 2022, 18% of investigations involved ransomware, compared to 23% in 2021.

“While we don’t have data that suggests there is a single cause for the slight drop in ransomware-related attacks that we observed, there have been multiple shifts in the operating environment that have likely contributed to these lower figures,” said Sandra Joyce, VP, Mandiant Intelligence at Google Cloud.

Joyce said some reasons for the drop in ransomware incidents might include:

  • Ongoing government and law enforcement disruption efforts targeting ransomware services and individuals. This may require actors to retool or develop new partnerships.
  • Actors needing to adjust their initial access operations due to the fact that macros may often be disabled by default.
  • Organizations getting better at detecting and preventing or recovering from ransomware events at faster rates.

Threat Group Motives

Mandiant tracks more than 3,500 threat groups overall. This includes over 900 newly tracked threat groups in the most recent report period. The analysis identified a total of 343 unique threat groups across all intrusions in 2022.

As they get to know a threat group, Mandiant investigators assign a formal motive designation for each group. For the threat groups observed in 2022, Mandiant assessed actor motivations as follows:

  • 48% of threat groups have financially motivated operations
  • 18% are driven by espionage motives
  • 9% have goals like destructive operations, hacktivism and being a nuisance
  • 27% of threat groups’ motivations were not able to be assessed.

New Malware Proliferation

In 2022, Mandiant began tracking 588 new malware families. As per the report, newly tracked malware equates to nearly 49 new malware families identified per month in 2022. Of the 588 newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%).

Of note, newly tracked credential stealers fell out of the top five categories tracked by Mandiant in 2022. However, in the current report, stolen credentials also appeared for the first time in the most frequently seen intrusion vectors. This finding suggests that threat actors are leveraging previously created credential stealers to obtain stolen credentials.

Mandiant stated it observed an explosion of credential and information stealer-type malware, such as Redline Stealer, Vidar and Recordstealer (aka Redline). These malware groups are typically delivered through search engine optimization abuse and malicious advertisements.

The Most Common Malware Family

Like previous years, the most common malware family identified by Mandiant research was BEACON. This is Cobalt Strike’s default malware payload used to create connections to C2 servers. BEACON was identified at 15% of all intrusions analyzed in the report. The BEACON malware is by far the most common variant seen in investigations worldwide.

BEACON has been used by a variety of threat groups, including state-backed groups attributed to China, Russia and Iran. The malware is also used by financially motivated threat actors, including FIN6, FIN7, FIN9, FIN11 and FIN12, and over 700 hundred UNC groups. This popularity is likely due to the wide availability of BEACON along with the malware’s high customizability and ease of use.

New Threats Continue to Evolve

While the drop in dwell time is welcome news, the Mandiant report shows the threat landscape continues to evolve. It’s imperative that security pros keep up with relevant threat intelligence, deploy the right security tools and continue to collaborate with the wider security community.

More from News

Spot Fake Extortion Attacks Without Wasting Time and Money

3 min read - Ransomware attacks — the scourge of businesses, schools, hospitals and other organizations — follow a familiar pattern. Shady criminals contact an organization, telling them their company or customer data has been breached, encrypted and/or exfiltrated. Pay us money, or we’ll publish your data. In 2022, some 41% of victims paid, according to cyber-intelligence firm Coveware, rewarding the extortionists for their efforts. (Payment is declining every year, down from 76% in 2019.)That knowledge no doubt inspired lazier, less-skillful scammers into action. In…

3 min read

High-Impact Attacks On Critical Infrastructure Climb 140%

4 min read - Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years. Growing Threat to OT…

4 min read

AI Assistance Cuts Alert Triage Times in Half

4 min read - Clearly, ChatGPT has placed artificial intelligence on everyone’s radar these days. But AI in mainstream business applications has been around for decades. In cybersecurity, AI can be used for data augmentation and attack simulation. It can also help detect anomalies in network traffic or user behavior to enhance overall threat detection and response. As per a recent report, one area where AI has made significant strides is in threat alert triage efforts. In fact, with AI assistance, alert triage timelines…

4 min read

Congressman Proposes Act to Improve K-12 Cybersecurity

2 min read - When Iowa Congressman Zach Nunn served on the White House’s National Security Council, he witnessed the dramatic impact of cybersecurity incidents. Nunn became especially concerned about how cybersecurity crimes impact schools and their ability to educate students. He also realized how the growing threats have been making it easier to disrupt not only individual schools but entire school systems. “These are no longer attackers in basements or individuals who intend to do harm for a one-time profit,” Nunn told KGLO…

2 min read