Attackers are spending less time inside target networks, researchers report, but the seemingly positive trend hides a concerning development: Ransomware attacks, which by nature have a shorter "dwell time," are growing more common and efficient, shrinking the average time frame for all attacks.

In their 2021 M-Trends threat report, Mandiant researchers note the global median dwell time, or the number of days an attacker is in an environment before detection, has fallen to 24 days. While median dwell time has consistently dropped from 416 days in 2011, this year's number marks a notable drop, says Steven Stone, senior director of advanced practices at Mandiant.

"Half the dwell time went away compared to last year," he notes. The 2020 M-Trends report found a global median dwell time of 56 days, making this year's number "a significant drop."

This decline could be explained by several factors, including continued improvement in threat detection capabilities, new policies, and higher security budgets. However, the attack landscape plays a critical role. As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019.

Credit: zephyr_p via Adobe Stock

A breakdown of dwell time by attack type is more telling. The median dwell time for non-ransomware investigations was 45 days; for ransomware investigations, it was only five. These metrics combined brought the global median dwell time down to its new low of 24 days.

As researchers see more ransomware, they expect dwell time to continue shrinking. After all, the attackers deploying ransomware don't want to remain hidden for very long.

"We're seeing ransomware intrusions … move to ransomware much, much quicker than we have in previous years," Stone points out. "We think that's clearly a contributing factor."

In the past, ransomware operators would try to get into a target environment and typically spend more time trying to understand it before deploying ransomware at the end. Now they move quickly through the attack cycle. Many have adopted the technique of "multifaceted extortion," in which they also threaten to publish stolen data if the ransom isn't paid in time.

It seems attackers are growing more comfortable with ransomware compared with other forms of monetization. This, combined with increasingly higher payouts, is bad news for defenders. Today's ransomware operators are growing more comfortable with negotiating higher sums.

"We talk about intrusion like it's a machine, but it's ultimately people, and people tend to do what they're most comfortable with," Stone explains. "They need a mechanism to monetize the intrusion, and as they're learning more and more about how to do that with ransomware year over year, they're getting more comfortable in that space."

What Else Is In Attackers' Toolkits?
Of course, ransomware isn't the only threat Mandiant researchers investigated last year. Their responses to a range of security intrusions yielded several observations, including a preference for exploits (29%) over phishing attacks (23%) as an initial infection vector. Other common vectors included stolen credentials or brute force (19%) along with prior compromise (12%).

"It definitely sticks out to us," Stone says of the rise in exploits. "If anything, we're seeing that trend accelerate currently." Researchers are already two full quarters into what will be the next M-Trends report, "and we're actually seeing more exploits than we did when we wrote this report."

There was a time when exploits were dominant, he explains, but they began to trend down as phishing attacks grew. Now "they're back with a vengeance," he says. While researchers aren't sure what's driving the trend, Stone notes that exploit usage is different than it was in the past. More exploits are continuously dropping, and there are more groups taking advantage of them.

"In the past we would typically see an exploit targeted by one high-end group … now you'll see an exploit, and you'll see a range of groups in a very quick time frame either using that or converting that once it goes public," he adds.

The presence of offensive security tools in attackers' arsenals was another dominant trend. Beacon, a backdoor commercially available as part of the Cobalt Strike platform, was seen in 24% of incidents. Empire, a publicly available PowerShell post-exploitation framework, was seen in 8%. Rounding out the top five were Maze ransomware (5%), Netwalker ransomware (4%), and the Metasploit pen-testing platform (3%).

When they aren't using publicly available tools, attackers are relying on privately developed ones: Seventy-eight percent of malware families used in attacks were private; the rest =were public. The trend is consistent across the most advanced groups and lesser-skilled attackers, Stone explains. Many of these tools are easy to use, lowering the cost of entry and empowering attackers.

"We're seeing a number of lower-level skillset groups deploy custom malware along with these public tools," he says. "That makes incident response very challenging, and I think organizations need to be prepared for that."

One of the groups using Cobalt Strike Beacon is UNC2452, the name Mandiant has given to the group behind the supply chain attack that involved an implant in SolarWinds' Orion platform. This is "arguably the most advanced group we've ever dealt with," Stone says, and the fact it's deploying Beacon is very concerning.

While organizations face new threats, the process of preparing for these types of attacks hasn't changed, he continues.

"Be prepared for an intrusion. Be prepared to make smart decisions based on the actual threats you're seeing," says Stone. 

An attack from a group like UNC2452 and a ransomware attack are very different intrusions, he says, and organizations must respond and remediate differently. They have to be able to make the right call for a particular threat, versus a "one-size-fits-all" approach.