In cybersecurity parlance, dwell time is the time it takes between an attacker’s initial penetration of an organisation’s environment and the point at which the attacker is discovered. The average dwell time varies by industry and region. A 2019 Attivo survey puts this number at 100 days of undetected access within a network.
A Chubb report, Ignorance is Risk: Regional SME Cyber Preparedness Report 2019, revealed that for SMEs, the dwell time of non-ransomware attacks averages 798 days.
Dwell time drops to three weeks
According to Mandiant’s M-Trends 2022 report, the global median dwell time has dropped from 24 days in 2020 to 21 days in 2021.
The dwell time distribution for APAC reveals 60% of intrusions had dwell times of 30 days or fewer with 60% of these (36% of all APAC intrusions) detected in one week or less. At the other end of the spectrum, like observations from previous years, dwell time distribution in APAC continues to show that several intrusions go undetected for extended periods of time.
Intrusion detection
In APAC, organisations are detecting intrusions quicker and external entities are notifying organisations of intrusions faster. Intrusions in APAC that were detected internally had a median dwell time of 22 days in 2021 compared to 33 days in 2020. The median dwell time for intrusions with an external notification source was 16 days in 2021 compared to 137 days in 2020—an 88% reduction.
Mandiant experts also observed that 13% of intrusions in APAC in 2021 had dwell times that exceeded three years.
Organisations’ improved threat visibility and response as well as the pervasiveness of ransomware––which has a significantly lower median dwell time than non-ransomware intrusions––are likely driving factors behind reduced median dwell time.
The report found that in APAC 76% of intrusions in 2021 were identified by external third parties, a reversal of what was observed in 2020.
Organisations in APAC have impressive detection capabilities. However, intrusions that go undetected initially can remain undetected, resulting in extensive dwell times when they are ultimately detected.
Additional takeaways
Infection Vector: For the second year in a row, exploits remained the most frequently identified initial infection vector. Of the incidents that Mandiant responded to during the reporting period, 37% started with the exploitation of a security vulnerability, as opposed to phishing, which accounted for only 11%. Supply chain compromises increased dramatically, from less than 1% in 2020 to 17% in 2021.
Target industries impacted: Business and professional services and financial were the top two industries targeted by adversaries (14%, respectively), followed by healthcare (11%), retail and hospitality (10%) and tech and government (both at 9%).
New multifaceted extortion and ransomware TTPs: Mandiant observed multifaceted extortion and ransomware attackers using new tactics, techniques and procedures (TTPs) to deploy ransomware rapidly and efficiently throughout business environments, noting that the pervasive usage of virtualisation infrastructure in corporate environments has made it a prime target for ransomware attackers.
Ransomware was more prevalent in APAC in 2021 compared to previous years. Ransomware-related intrusions accounted for 38% of intrusions investigated in APAC in 2021 compared to 12.5% of intrusions in 2020 and 18% of intrusions in 2019.
This is in line with Mandiant’s observations that ransomware extortion gangs continue to thrive off a successful ransomware-as-a-service model and the various specialisations of threat actors across the attack lifecycle in the cyber-criminal underground.
APAC organisations should continue to remain vigilant of the latest developments in the ransomware extortion domain and work with trusted partners to validate the security of their systems.
Advisory
Jurgen Kutscher, executive vice president, service delivery at Mandiant says considering the continued increased use of exploits as an initial compromise vector, organisations need to maintain focus on executing on security fundamentals––such as asset, risk and patch management.
He added that multifaceted extortion and ransomware continue to pose huge challenges for organisations of all sizes and across all industries, with this year’s M-Trends report noting a specific rise in attacks targeting virtualisation infrastructure.
The key to building resilience lies in the preparation. Developing a robust preparedness plan and a well-documented and tested recovery process can help organisations successfully navigate an attack and quickly return to normal business operations,” concluded Kutscher.
