If you’re too busy to write your own ransomware, go gig economy! US-based FireEye Inc. releases its latest FireEye Mandiant M-Trends 2020 report claiming that while detection is faster, cyber attacks are evolving, as are opportunities to monetize cyber crime.
According to the report, the median dwell time in APAC, defined as the duration between the start of a cyber intrusion and it being identified, has fallen from 204 days in last year’s report to 54 days this time – a significant decrease of 73%. FireEye claims the marked decrease in dwell times is skewed by the significantly increased amount of ransomware-related breaches (18%), which have a dwell time of zero days.
Noteworthy is the median dwell time for APAC would be 94 days without the ransomware cases, still an improvement over last year’s report.
There was also a marked decrease in the median dwell time globally, which was recorded as 56 days – 28% lower than the 78-day median observed in the previous year. FireEye attributes this trend to organizations improving their detection programs, as well as changes in attacker behaviors such as the continued rise in disruptive attacks (e.g. ransomware and cryptocurrency miners) which often have shorter dwell times than other attack types.
Global internal and external detection times have also reduced
The Median dwell time for organizations that learned of their incident by an external party stands at 141 days, a 23% decrease since the previous M-Trends report (184 days). in addition, the median dwell time for organizations that self-detected their incident stands at 30 days, a 40% decrease year over year (50.5 days). While internal dwell time saw the greatest level of improvement, still 12% of investigations reported dwell times of greater than 700 days.
Although the dwell time for intrusions identified internally by organizations has gone down, the overall percentage of self-detected security incidents versus external sources has also reduced. There has been a 12-percentage point decrease in the proportion of compromises detected internally, year-over-year. This comes after a steady improvement of internal detections since 2011. 2019 is the first time in four years in which external notifications, when an outside entity informs an organization that it has been compromised, exceeded internal detections.
This shift is potentially due to a variety of factors, such as increases in law enforcement and cyber security vendor notifications, changes in public disclosure norms, and compliance changes. FireEye Mandiant believes it is unlikely that organizations’ ability to detect intrusions has deteriorated, as other metrics show continued improvements in organizational detections and response.
Hundreds of new malware families
The report claims of all the malware families Mandiant observed in 2019, 41% had never been seen before. Furthermore, 70% of the samples identified belonged to one of the five most frequently seen families, which are based on open source tools with active development. FireEye says these points demonstrate that not only are malware authors innovating, cyber criminals are also outsourcing tasks to monetize operations faster.
Also of note, the majority of new malware families impacted either Windows or multiple platforms. FireEye claims of new malware families solely impacting Linux or Mac, this activity remains in the minority.
Increased monetization by cyber criminals
Of the attacks that FireEye Mandiant professionals responded to, the greatest majority (29%) were likely motivated by direct financial gain. This includes extortion, ransom, card theft, and illicit transfers. The second most common (22%) was data theft likely in support of intellectual property or espionage end goals. The successful monetization of ransomware attacks and the availability of ransomware as a service have contributed to an increase in overall ransomware cases.
Established cybercrime groups that historically targeted personal and credit card information have also been increasingly turning to ransomware as a secondary means of generating revenue.
Given the ease with which ransomware attacks can be carried out and their continued financial success for attackers, FireEye Executive Vice President of Service Delivery Jurgen Kutscher, says ransomware will continue to be used as a secondary means for monetizing access to victim environments.
“FireEye Mandiant has seen organizations largely improving their level of cyber security sophistication, but combatting the latest threats is still a huge challenge for them. There are more active groups now than ever before and we’ve seen an aggressive expansion of their goals. Consequently, it’s crucial for organizations to continue building and testing their defenses,” says Kutscher.
A full copy of the FireEye Mandiant M-Trends 2020 report is available for download here.