- Global cyberattacks were discovered faster over the past year, driven largely by a rise in ransomware and greater use of third-party cybersecurity firms in Europe and the Asia-Pacific region, according to Mandiant’s 2022 M-Trends report.
- The global median dwell time, which measures the number of days a cyberattack goes undetected, fell to 21 days last year, down from 24 days in 2020, Mandiant found. The decrease was driven mainly by reductions in the Asia-Pacific region, where median dwell time dropped sharply to 21 days from 76 days. Dwell times fell in Europe, the Middle East and Africa (EMEA) declined to 48 days versus 66. In those regions, third-party sources detected the majority of cyberattacks, reversing a previous trend.
- In the Americas region, median dwell times remained flat at 17 days, and 60% of intrusions were caught directly by company security teams, instead of outside firms or other sources.
A reduction in dwell time is important, because the longer a threat actor is undetected inside a corporate or government network, the more time they have to move laterally within the system, steal proprietary data, compromise credentials and access emails.
The reduced dwell times are being aided by a variety of factors, most likely an increased number of companies hiring outside firms to help manage cybersecurity as well as more frequent information sharing between organizations, according to Steven Stone, senior director of adversary operations at Mandiant.
Stone said government agencies are also providing more threat information to organizations, while other external notifications stem from ransomware attacks. Ransomware has a median dwell time of 5 days, compared with 36 days for non-ransomware cyber intrusions.
Another major shift in 2021 was the increased role of vulnerable software and the increasing exploitation of supply chains to find new targets.
Exploits were the leading vector for initial infections during 2021, comprising 37% of identified vectors. This represented an 8% increase compared with the prior year.
Supply chain compromises surged in 2021, representing about 17% of intrusions, compared with only 1% during 2020. The vast majority of compromises stemmed from the SolarWinds attack, which accounted for 86% of intrusions from supply chains.
By contrast, phishing attacks fell by more than half, to 11% from 23% of initial infection vectors.
Stone cautioned both will remain important vectors for future attacks despite the shifting entry points last year.
“Ultimately," he said, "these come down to attacker choices and availability of different vulnerabilities."