The length of time attackers remained undetected on a victim's network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant.
Mandiant in its IR cases found that companies have tuned their detection capabilities to find the most dangerous attacks quickly, with ransomware detected within five days on average; non-ransomware attacks remained active for 36 days in 2021, down from 45 days in 2020. But the quicker detection of ransomware attacks may not necessarily be positive, instead being due to the activation of the payload, says Steven Stone, senior director of adversary operations for Mandiant.
In general, however, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms, and government agencies and security firms often notify victims of attacks, leading to faster detection, he says.
"We think the combination of factors like these contributes to what we already see as year-over-year improvements in these regions," Stone says. "Ultimately, initial threat vectors come down to attacker choices and the availability of different vulnerabilities. Overall, we see some attack groups use different methods concurrently, likely showing a preference per target efforts."
Companies have improved their detection times dramatically over the past decade, reducing the time to detect attackers by nearly a factor of 20, from 418 days in 2011 to 21 days in 2021, according to the Mandiant M-Trends 2022 report.
The improvement in company's detection capabilities varied significantly by region, with firms in the Asia-Pacific region seeing a dramatic drop in so-called "dwell time" to 21 days in 2021, from 76 days in 2020. European companies also saw a significant decrease to 48 days, from 66 days in 2020, while North American companies' detection did not change, staying level at 17 days.
Attackers Love Cobalt Strike
The most popular attack tool remained the Beacon backdoor, which accounted for 28% of all identified malware families. Beacon is a component of the Cobalt Strike penetration testing tool, which is also popular with malicious attackers. Other attack tools quickly dropped off in frequency and include the Sunburst backdoor for .NET environments, the Metasploit penetration testing platform, and SystemBC, a proxy toolkit.
Overall, two methods of initial compromise — exploiting vulnerabilities and attacks through the supply chain — accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020, according to Mandiant. The changing tactics underscore that companies need to keep informed of attackers' techniques, Jurgen Kutscher, executive vice president for service delivery at Mandiant, said in a statement announcing the report.
"In light of the continued increased use of exploits as an initial compromise vector, organizations need to maintain focus on executing on security fundamentals — such as asset, risk, and patch management," he said. "The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organizations successfully navigate an attack and quickly return to normal business operations."
Active Directory in the Bullseye
In another trend, attackers are increasingly taking aim at hybrid Active Directory (AD) installations, because misconfigurations in the hybrid identity model — where credentials and keys are synchronized between on-premises AD services and Azure Active Directory in the cloud — lead to compromises, Mandiant stated in the report.
Companies should treat hybrid Active Directory servers as the most sensitive level of assets, tier 0, and only allow access from privileged workstation from a segmented network. Along with monitoring, these steps should make exploitation much more difficult, says Evan Pena, managing director of Mandiant's global red team.
Luckily, implementing best security practices for hybrid AD servers is not hard to get right, he says.
"As companies move their resources to the cloud while using hybrid models, attackers will target these hybrid servers to achieve both domain and cloud compromise," he says. "It is common for these hybrid servers to have high-level privileges to on-premises servers — [such as] domain controllers — and cloud resources."
Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks, says Pena.