Global median dwell time drops below one month
– detection capabilities improve, but ransomware surges on
FireEye, Inc. (NASDAQ: FEYE), the intelligence-led security
company, today released the FireEye® Mandiant® M-Trends® 2021
report. Now in its 12th year, M-Trends brings together the best of
cybersecurity expertise and threat intelligence with statistics and
insights gleaned from recent frontline Mandiant investigations
around the globe.1
This press release features multimedia. View
the full release here:
https://www.businesswire.com/news/home/20210413005031/en/
This year’s report outlines critical details on trending
attacker techniques and malware, the proliferation of multifaceted
extortion and ransomware, preparing for expected UNC2452 / SUNBURST
copycat threat actors, growing insider threats, plus pandemic and
industry targeting trends. Additional findings are summarized
below.
Global Median Dwell Time Drops Below One Month for First
Time
Over the past decade, Mandiant has observed a trending reduction
in global median dwell time (defined as the duration between the
start of a cyber intrusion and when it is identified). This measure
went from over one year in 2011 to just 24 days in 2020 – that’s
more than twice as quickly identified in comparison to last year’s
report with a median dwell time of 56 days. Mandiant attributes
this reduction to continued development and improvement of
organizational detection and response capabilities, along with the
surge of multifaceted extortion and ransomware intrusions.
Median dwell time trends varied by region. The Americas
continued to decrease. The Americas median dwell time for incidents
discovered internally improved the most – dropping from 32 days
down to only nine days – marking the first time a region has dipped
into single digits. Conversely, APAC and EMEA experienced an
overall increase in median dwell time, which Mandiant experts
believe to be influenced by a greater number of intrusions with
dwell times extending beyond three years, as compared to the
Americas.
Internal Detections on the Rise
While last year’s report noted a drop in internal detections of
intrusions compared to the previous year, Mandiant experts observed
a return of organizations independently detecting most of their own
incidents. Internal incident detection rose to 59% in 2020 – a
12-point increase compared to 2019. This return to organizations
detecting the majority of intrusions within their environments is
in line with the overall trend observed over the last five
years.
Notably, internal detection was on the rise across all regions
year-over-year. Organizations located in the Americas led the
internal detection trendline at 61%, followed by EMEA and APAC
closely aligned at 53% and 52%, respectively. In comparison, APAC
and EMEA organizations received more notifications of compromise
from external entities, versus organizations in the Americas.
Attackers Narrow Sights on Retail & Hospitality and
Healthcare
The top five most targeted industries, in order, are Business
and Professional Services, Retail and Hospitality, Financial,
Healthcare and High Technology.
Mandiant experts observed that organizations in the Retail and
Hospitality industry were targeted more heavily in 2020 – coming in
as the second most targeted industry compared to 11th in last
year’s report. Healthcare also rose significantly, becoming the
third most targeted industry in 2020, compared to eighth in last
year’s report. This increased focus by threat actors can most
likely be explained by the vital role the healthcare sector played
during the global pandemic.
Executive Quotes
“While organizations continue to improve their ability to
discover compromises within their environments, containing
adversaries today comes with unique challenges. The consequences of
a global pandemic forced companies to rethink how they operate and
move to a remote workforce. This change resulted in VPN
infrastructure, video conferencing, collaboration and knowledge
sharing platforms becoming business-critical systems and changing
the attack surface of organizations. In many cases, regular
employees became responsible for connectivity and cybersecurity.
While Business and Professional Services has been in the top five
most targeted industries since 2016, we believe the sudden boost in
business services necessary for remote working has made this
industry the most targeted in 2020 by cybercriminals and
state-sponsored threat actors.” – Jurgen Kutscher, Executive
Vice President, Service Delivery, Mandiant
“Multifaceted extortion and ransomware are the most prevalent
threats to organizations. In this year’s report, direct financial
gain was the likely motive for at least 36% of the intrusions we
investigated. Data theft and reselling of unauthorized access to
victim organizations remain high as multifaceted extortion and
ransomware actors have trended away from purely opportunistic
campaigns in favor of targeting organizations that are more likely
to pay large extortion demands. Given this surge, organizations
must take proactive action to mitigate the potential impact.” –
Charles Carmakal, Senior Vice President and Chief Technology
Officer, Mandiant
“UNC2452, the threat actor responsible for the SolarWinds supply
chain attack, reminds us that a highly-disciplined and patient
actor cannot be underestimated. This actor’s attention paid to
operational security, counter forensics, and even
counterintelligence set it apart from its peers. Defense against
this actor will not be easy, but it is not impossible. We have
learned a great deal about UNC2452 in recent months, and we believe
that intelligence will be our advantage in future encounters.” –
Sandra Joyce, Executive Vice President, Global Threat
Intelligence, Mandiant
“This year’s M-Trends report identified the three most
frequently used initial vectors of compromise as exploits (29%),
phishing emails (23%) and stolen credentials or brute-force (19%).
While phishing remains a preferred vector by cyber threat actors,
we saw more actors leveraging exploits to compromise victims. The
increase in exploit usage should remind organizations to have a
more robust plan for patching product vulnerabilities. One of the
challenges here is identifying what sources and information are
available to make better risk-based decisions when prioritizing
what systems and applications to patch now and what to patch at a
later stage based on current knowledge about exploitation and
targeting by threat actors.” – Jurgen Kutscher, Executive Vice
President, Service Delivery, Mandiant
“We have continued to see a ‘wolf in sheep’s clothing’ trend
where threat groups and cyber criminals rely on publicly available
tools introduced in different stages of a compromise. The usage of
public or commercially available tools, often used by red teams and
penetration testers, allows the threat actor to blend in with
security testing. It also makes attribution more complex. In this
year’s report, 24% of the intrusions analyzed involved BEACON
usage, which is a commercial tool, part of the Cobalt Strike
software platform, commonly used for pentesting network
environments. We have observed BEACON being used by a wide range of
named threat groups, including APT19, APT32, APT40, APT41, FIN6,
FIN7, FIN9 and FIN11, as well as nearly 300 uncategorized clusters
of threat activity.” – Charles Carmakal, Senior Vice President
and Chief Technology Officer, Mandiant
Report Resources
- Full report: https://www.fireeye.com/mtrends
- M-Trends 2021 First Look webinar on April 13: Hear firsthand
analysis from Mandiant experts about this year’s report numbers,
ransomware trends, and activity they continue to see:
- https://www.brighttalk.com/webcast/7451/472530
- M-Trends 2021 By The Numbers webinar on April 15: A deep dive
into this year’s report numbers along with mitigation solutions
organizations should be inclined to implement:
- https://www.brighttalk.com/webcast/7451/476778
About Mandiant
Mandiant, a part of FireEye, brings together the world’s leading
threat intelligence and frontline expertise with continuous
security validation to arm organizations with the tools needed to
increase security effectiveness and reduce organizational risk.
About FireEye, Inc.
FireEye is the intelligence-led security company. Working as a
seamless, scalable extension of customer security operations,
FireEye offers a single platform that blends innovative security
technologies, nation-state grade threat intelligence, and
world-renowned Mandiant consulting. With this approach, FireEye
eliminates the complexity and burden of cyber security for
organizations struggling to prepare for, prevent, and respond to
cyber attacks. FireEye has over 9,900 customers across 103
countries, including more than 50 percent of the Forbes Global
2000.
© 2021 FireEye, Inc. All rights reserved. FireEye, Mandiant and
M-Trends are registered trademarks or trademarks of FireEye, Inc.
in the United States and other countries. All other brands,
products, or service names are or may be trademarks or service
marks of their respective owners.
1 Report metrics are based on Mandiant investigations of
targeted attack activity conducted between October 1, 2019 through
September 30, 2020.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20210413005031/en/
Media Media.Relations@FireEye.com
Investors Investor.Relations@FireEye.com
FireEye (NASDAQ:FEYE)
Historical Stock Chart
From Jul 2024 to Aug 2024
FireEye (NASDAQ:FEYE)
Historical Stock Chart
From Aug 2023 to Aug 2024