Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/13/2021
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Global Dwell Time Drops as Ransomware Attacks Accelerate

The length of time attackers remain undiscovered in a target network has fallen to 24 days, researchers report, but ransomware plays a role.

Attackers are spending less time inside target networks, researchers report, but the seemingly positive trend hides a concerning development: Ransomware attacks, which by nature have a shorter "dwell time," are growing more common and efficient, shrinking the average time frame for all attacks.

Related Content:

Inside the Ransomware Campaigns Targeting Exchange Servers

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

In their 2021 M-Trends threat report, Mandiant researchers note the global median dwell time, or the number of days an attacker is in an environment before detection, has fallen to 24 days. While median dwell time has consistently dropped from 416 days in 2011, this year's number marks a notable drop, says Steven Stone, senior director of advanced practices at Mandiant.

"Half the dwell time went away compared to last year," he notes. The 2020 M-Trends report found a global median dwell time of 56 days, making this year's number "a significant drop."

This decline could be explained by several factors, including continued improvement in threat detection capabilities, new policies, and higher security budgets. However, the attack landscape plays a critical role. As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019.

Credit: zephyr_p via Adobe Stock
Credit: zephyr_p via Adobe Stock

A breakdown of dwell time by attack type is more telling. The median dwell time for non-ransomware investigations was 45 days; for ransomware investigations, it was only five. These metrics combined brought the global median dwell time down to its new low of 24 days.

As researchers see more ransomware, they expect dwell time to continue shrinking. After all, the attackers deploying ransomware don't want to remain hidden for very long.

"We're seeing ransomware intrusions … move to ransomware much, much quicker than we have in previous years," Stone points out. "We think that's clearly a contributing factor."

In the past, ransomware operators would try to get into a target environment and typically spend more time trying to understand it before deploying ransomware at the end. Now they move quickly through the attack cycle. Many have adopted the technique of "multifaceted extortion," in which they also threaten to publish stolen data if the ransom isn't paid in time.

It seems attackers are growing more comfortable with ransomware compared with other forms of monetization. This, combined with increasingly higher payouts, is bad news for defenders. Today's ransomware operators are growing more comfortable with negotiating higher sums.

"We talk about intrusion like it's a machine, but it's ultimately people, and people tend to do what they're most comfortable with," Stone explains. "They need a mechanism to monetize the intrusion, and as they're learning more and more about how to do that with ransomware year over year, they're getting more comfortable in that space."

What Else Is In Attackers' Toolkits?
Of course, ransomware isn't the only threat Mandiant researchers investigated last year. Their responses to a range of security intrusions yielded several observations, including a preference for exploits (29%) over phishing attacks (23%) as an initial infection vector. Other common vectors included stolen credentials or brute force (19%) along with prior compromise (12%).

"It definitely sticks out to us," Stone says of the rise in exploits. "If anything, we're seeing that trend accelerate currently." Researchers are already two full quarters into what will be the next M-Trends report, "and we're actually seeing more exploits than we did when we wrote this report."

There was a time when exploits were dominant, he explains, but they began to trend down as phishing attacks grew. Now "they're back with a vengeance," he says. While researchers aren't sure what's driving the trend, Stone notes that exploit usage is different than it was in the past. More exploits are continuously dropping, and there are more groups taking advantage of them.

"In the past we would typically see an exploit targeted by one high-end group … now you'll see an exploit, and you'll see a range of groups in a very quick time frame either using that or converting that once it goes public," he adds.

The presence of offensive security tools in attackers' arsenals was another dominant trend. Beacon, a backdoor commercially available as part of the Cobalt Strike platform, was seen in 24% of incidents. Empire, a publicly available PowerShell post-exploitation framework, was seen in 8%. Rounding out the top five were Maze ransomware (5%), Netwalker ransomware (4%), and the Metasploit pen-testing platform (3%).

When they aren't using publicly available tools, attackers are relying on privately developed ones: Seventy-eight percent of malware families used in attacks were private; the rest =were public. The trend is consistent across the most advanced groups and lesser-skilled attackers, Stone explains. Many of these tools are easy to use, lowering the cost of entry and empowering attackers.

"We're seeing a number of lower-level skillset groups deploy custom malware along with these public tools," he says. "That makes incident response very challenging, and I think organizations need to be prepared for that."

One of the groups using Cobalt Strike Beacon is UNC2452, the name Mandiant has given to the group behind the supply chain attack that involved an implant in SolarWinds' Orion platform. This is "arguably the most advanced group we've ever dealt with," Stone says, and the fact it's deploying Beacon is very concerning.

While organizations face new threats, the process of preparing for these types of attacks hasn't changed, he continues.

"Be prepared for an intrusion. Be prepared to make smart decisions based on the actual threats you're seeing," says Stone. 

An attack from a group like UNC2452 and a ransomware attack are very different intrusions, he says, and organizations must respond and remediate differently. They have to be able to make the right call for a particular threat, versus a "one-size-fits-all" approach.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
charles@v2cloud.com
50%
50%
[email protected],
User Rank: Apprentice
4/15/2021 | 11:31:12 AM
Ransomware protection
Really good article. Theses trends are scary as it shows the ransomware groups are very well organized. The first line of defense is also to be well organized and have response scenarios ready as well as educate your employees on security. Education, preparation and knowledge of these attacks can go a long way. Businesses need to segregate their network and be able to identify threats rapidly as attackers are moving even more faster. For businesses that can't or don't want to spend much on security, there is still hope as Cloud service providers offer great protection and can mitigate risks/impact of a ransomware attack to avoid any substantial interruption. An up to date and constantly monitored cloud infrastructure with secure and reliable backups can protect you.

Disclaimer: I work for V2 Cloud
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.