The global median dwell time is the number of days that an attacker is in a computing environment before detection. Over the past decade, there has been a marked reduction in median dwell time, from just over one year (416 days) in 2011 to just under one month (24 days) in 2020.
According to the annual M-Trends report published by FireEye Mandiant Services, organizations are beginning to find and contain adversaries faster than in previous years.
At first sight, this reduction in dwell time is good news, but all is not quite what it seems. While this reduction may correlate to better visibility and response, it also reflects an evolution in the threat landscape and an increase in ransomware that has helped drive down the time between initial infection and identification.
Figures to dwell upon
The more ransomware is deployed, the more dwell times will shrink. Attackers deploying ransomware don’t want to remain hidden for too long. The sooner the ransomware is revealed, the sooner attackers have the opportunity to collect.
The way ransomware attacks are conducted has changed since 2019. Previously, risk managers weighing the impact on an organization of ransomware would have expected malware to encrypt files, making them inaccessible to legitimate users and ultimately resulting in significant disruption. The best protection against such attacks would have been solid offline backups.
But ransomware has evolved. Mandiant calls this new iteration of ransomware attacks ‘multifaceted extortion.’ Hackers are not only deploying ransomware encryptors across victims’ environments. They are using other extortion tactics to coerce victims into complying with their demands.
Typically, the target organization’s files are encrypted and made unavailable. The attacker then demands payment for the decryption tool and key. However, in a growing number of cases, the organization’s files are stolen, and the attacker demands payment, or they will publish the sensitive data. This approach is much more consequential than the first and gives the attacker more clout. With multifaceted extortion, the attacker turns a service disruption into a data breach, with much more serious consequences for the organisation.
Hackers are playing a long game
A data breach can result in greater reputational damage, regulatory fines, and class action lawsuits. Some hackers will publish stolen data on a website, typically on the Tor network, while others will use media organizations to amplify their attacks. Some will call and harass employees or notify business partners of data theft, creating friction in relationships and prompting breach disclosures.
Traditional malware-based ransomware has cost organizations and governments millions of dollars. In response, many organizations took steps to limit their exposure to broad-scale encryption by ensuring their disaster recovery plans provided some protection.
One new attack area spotted by Mandiant is privileged accounts within Active Directory. Many organizations have delegated permissions to additional groups and accounts throughout Active Directory, which increases the number of resources deemed to be highly privileged. If an attacker is able to capture valid credentials or even impersonate access from an account assigned privileged access, this escalates the attacker’s ability to move laterally, access data, deploy ransomware to more endpoints, and ultimately, cash in.
Small victories in the battle against hackers should be welcomed, but the hackers are playing a longer game and are still winning the war.