Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/13/2021
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Global Dwell Time Drops as Ransomware Attacks Accelerate

The length of time attackers remain undiscovered in a target network has fallen to 24 days, researchers report, but ransomware plays a role.

Attackers are spending less time inside target networks, researchers report, but the seemingly positive trend hides a concerning development: Ransomware attacks, which by nature have a shorter "dwell time," are growing more common and efficient, shrinking the average time frame for all attacks.

Related Content:

Inside the Ransomware Campaigns Targeting Exchange Servers

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

In their 2021 M-Trends threat report, Mandiant researchers note the global median dwell time, or the number of days an attacker is in an environment before detection, has fallen to 24 days. While median dwell time has consistently dropped from 416 days in 2011, this year's number marks a notable drop, says Steven Stone, senior director of advanced practices at Mandiant.

"Half the dwell time went away compared to last year," he notes. The 2020 M-Trends report found a global median dwell time of 56 days, making this year's number "a significant drop."

This decline could be explained by several factors, including continued improvement in threat detection capabilities, new policies, and higher security budgets. However, the attack landscape plays a critical role. As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019.

Credit: zephyr_p via Adobe Stock
Credit: zephyr_p via Adobe Stock

A breakdown of dwell time by attack type is more telling. The median dwell time for non-ransomware investigations was 45 days; for ransomware investigations, it was only five. These metrics combined brought the global median dwell time down to its new low of 24 days.

As researchers see more ransomware, they expect dwell time to continue shrinking. After all, the attackers deploying ransomware don't want to remain hidden for very long.

"We're seeing ransomware intrusions … move to ransomware much, much quicker than we have in previous years," Stone points out. "We think that's clearly a contributing factor."

In the past, ransomware operators would try to get into a target environment and typically spend more time trying to understand it before deploying ransomware at the end. Now they move quickly through the attack cycle. Many have adopted the technique of "multifaceted extortion," in which they also threaten to publish stolen data if the ransom isn't paid in time.

It seems attackers are growing more comfortable with ransomware compared with other forms of monetization. This, combined with increasingly higher payouts, is bad news for defenders. Today's ransomware operators are growing more comfortable with negotiating higher sums.

"We talk about intrusion like it's a machine, but it's ultimately people, and people tend to do what they're most comfortable with," Stone explains. "They need a mechanism to monetize the intrusion, and as they're learning more and more about how to do that with ransomware year over year, they're getting more comfortable in that space."

What Else Is In Attackers' Toolkits?
Of course, ransomware isn't the only threat Mandiant researchers investigated last year. Their responses to a range of security intrusions yielded several observations, including a preference for exploits (29%) over phishing attacks (23%) as an initial infection vector. Other common vectors included stolen credentials or brute force (19%) along with prior compromise (12%).

"It definitely sticks out to us," Stone says of the rise in exploits. "If anything, we're seeing that trend accelerate currently." Researchers are already two full quarters into what will be the next M-Trends report, "and we're actually seeing more exploits than we did when we wrote this report."

There was a time when exploits were dominant, he explains, but they began to trend down as phishing attacks grew. Now "they're back with a vengeance," he says. While researchers aren't sure what's driving the trend, Stone notes that exploit usage is different than it was in the past. More exploits are continuously dropping, and there are more groups taking advantage of them.

"In the past we would typically see an exploit targeted by one high-end group … now you'll see an exploit, and you'll see a range of groups in a very quick time frame either using that or converting that once it goes public," he adds.

The presence of offensive security tools in attackers' arsenals was another dominant trend. Beacon, a backdoor commercially available as part of the Cobalt Strike platform, was seen in 24% of incidents. Empire, a publicly available PowerShell post-exploitation framework, was seen in 8%. Rounding out the top five were Maze ransomware (5%), Netwalker ransomware (4%), and the Metasploit pen-testing platform (3%).

When they aren't using publicly available tools, attackers are relying on privately developed ones: Seventy-eight percent of malware families used in attacks were private; the rest =were public. The trend is consistent across the most advanced groups and lesser-skilled attackers, Stone explains. Many of these tools are easy to use, lowering the cost of entry and empowering attackers.

"We're seeing a number of lower-level skillset groups deploy custom malware along with these public tools," he says. "That makes incident response very challenging, and I think organizations need to be prepared for that."

One of the groups using Cobalt Strike Beacon is UNC2452, the name Mandiant has given to the group behind the supply chain attack that involved an implant in SolarWinds' Orion platform. This is "arguably the most advanced group we've ever dealt with," Stone says, and the fact it's deploying Beacon is very concerning.

While organizations face new threats, the process of preparing for these types of attacks hasn't changed, he continues.

"Be prepared for an intrusion. Be prepared to make smart decisions based on the actual threats you're seeing," says Stone. 

An attack from a group like UNC2452 and a ransomware attack are very different intrusions, he says, and organizations must respond and remediate differently. They have to be able to make the right call for a particular threat, versus a "one-size-fits-all" approach.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
charles@v2cloud.com
50%
50%
[email protected],
User Rank: Apprentice
4/15/2021 | 11:31:12 AM
Ransomware protection
Really good article. Theses trends are scary as it shows the ransomware groups are very well organized. The first line of defense is also to be well organized and have response scenarios ready as well as educate your employees on security. Education, preparation and knowledge of these attacks can go a long way. Businesses need to segregate their network and be able to identify threats rapidly as attackers are moving even more faster. For businesses that can't or don't want to spend much on security, there is still hope as Cloud service providers offer great protection and can mitigate risks/impact of a ransomware attack to avoid any substantial interruption. An up to date and constantly monitored cloud infrastructure with secure and reliable backups can protect you.

Disclaimer: I work for V2 Cloud
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...