Under a Month! Organizations Are Detecting Threats Faster than Ever Before


Posted on

The cybersecurity industry just achieved a significant milestone. Organizations around the globe are now detecting threats in under a month. More specifically, the global median dwell time is under a month. Dwell time is the amount of time between compromise and discovery. We’ve been providing the metric—based on our observations from the front lines of the most recent attacks—as part of our M-Trends report since its inception in 2011. In that initial report, the global median dwell time was a whopping 416 days. That means a threat was residing on a system for longer than a year before it was detected.

Now the global median dwell time is just 24 days, based on our observations from October 1, 2019, through September 30, 2020. Breaking it down even further, we see the global median dwell time for internal detections is just 12 days—under two weeks. For external notifications, it’s 73 days, which is a nearly 50% reduction over the previous year.

Overall, these numbers are swinging significantly in the right direction; but as we always say, a determined adversary needs only a few days to achieve their objective, so organizations and security professionals must remain vigilant. The median dwell time has also been influenced by the continued increase of ransomware attacks, which tend to be detected a lot earlier as well.

What Else Are We Seeing?

Let’s dive into some of the other metrics we observed in that same one-year span. We touched on detection by source earlier, so let’s explore that a bit further. In the initial M-Trends report, 94% of detections were coming externally, although that number dropped to around 65% over the following three years. Now, 59% of detections are internal, which is significant given the difference in global median dwell time for internal detection versus external notification.

Let’s shift to industries in the crosshairs. The top five industries being targeted in that one-year span are: (1) business and professional services, (2) retail and hospitality, (3) financial, (4) healthcare and (5) high technology. Business and professional services and financial consistently place in the top five, but retail and hospitality and healthcare saw huge jumps from their rankings of 11 and eight, respectively, in the year prior.

How are attackers attacking? Phishing is one of the most effective threats, and it won’t go away any time soon. But for the initial infection vector, when identified, we found evidence of attackers using exploits in 29% of intrusions, whereas phishing accounted for only 23% of intrusions. Meanwhile, backdoors accounted for 36% of the more than 500 new malware families observed in the one-year span, with downloaders making up 16%, droppers making up 8% and ransomware accounting for 5%. The commercially available BEACON backdoor was observed at 24% of intrusions, making it the most frequently seen malware family. The EMPIRE PowerShell framework followed up at 8%, and MAZE ransomware came next at 5% of all intrusions.

What’s Trending?

Despite ransomware accounting for only 5% of new malware families observed, it’s arguably one of, if not the most, impactful and devastating threats right now. That’s because ransomware has evolved into a multifaceted extortion threat that people still refer to as simply: ransomware. Sure, there’s the monetary ransom demand. But these operations also include theft of sensitive data, publication on name-and-shame websites and other coercive tactics such as disruptive attacks and employee harassment. Gone are the days when offline backups were sufficient to deal with this threat—nowadays, the problem requires more comprehensive strategies and solutions.

Executing these types of attacks are threat groups such as FIN11, a financially motivated actor we promoted in 2020 that has been active since at least 2016. Exploits may have been the most common intrusion vector we observed (when identified), but FIN11 isn’t known for using them. Instead, they are known for their rapidly evolving phishing and malware delivery tactics, techniques and procedures, which are effective and efficient.

Financially motivated attacks aren’t all we’re seeing. Unfortunately, we’re in the midst of a global pandemic, with doctors and analysts around the globe working hard to learn as much as they can about the virus. Any research on vaccines or ways to contain spread is considered tremendously valuable, and as such, we have seen state-sponsored activity targeting that information as part of espionage operations.

Awareness Is the First Step

We share this information because we know that awareness is the first step to staying ahead of threats—especially the threats that matter most—and that in order to protect ourselves and others, solutions and strategies must be built to detect, respond to and contain real attacks that threat actors are actively using.

That’s why we’ve been releasing our annual M-Trends report since 2011—to arm security professionals with insights into the latest attacker activity as seen directly on the front lines. For more on the metrics and threat activity discussed in this post, download M-Trends 2021 today.

Hackers & Threats

hackers & threats

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs