Attacker Dwell Times Down, But No Consistent Correlation to Breach Impact: Mandiant
While the median attacker dwell time has declined in recent years, it has no consistent correlation to the effect of a breach
The good news is that median intruder dwell time is down again – down from 24 days in 2020 to 21 days in 2021. The bad news is the figure gives little indication of the true nature of successful intruder activity across the whole security ecosphere.
Dwell time is the length of time between assumed initial intrusion and detection of an intrusion. The usual assumption is that the shorter the dwell time, the less damage can be done. This is not a valid assumption across all intrusions.
The figures come from Mandiant’s M-Trends 2022 report (PDF), which is based on the firm’s breach investigations between October 1, 2020, and December 31, 2021. They show that the median dwell time figure has consistently declined over the last few years: from 205 days in 2014 through 78 (2018), 56 (2019), 24 (2020) to 21 (2021). The problem is that the dwell time has no consistent correlation to the breach effect.
During the same period of rapid decline over the last few years, there has been an equally rapid rise in successful ransomware attacks. The median dwell time for a ransomware attack in the Americas and EMEA is just four days, inevitably dragging down the overall median figure.
At the same time, individual lengthy dwell times have not been eliminated. Eight percent of Mandiant’s investigations revealed dwell times of more than a year and a half, while half of these had dwell times of more than 700 days. Furthermore, 20% of the investigations revealed dwell times between 90 and 300 days.
So, the extent of the decline in the median dwell time figure may have less to do with improving defensive postures than with increasing and successful criminal ransomware attacks.
There is a similar difficulty in interpreting the changes between internal and external breach recognition. Overall, the time taken for external sources to notify a victim that it has been breached has dropped dramatically. “The global median dwell time for incidents which were identified externally dropped from 73 to 28 days,” notes the report.
However, it should be noted that receipt of an extortion note is defined as an ‘external’ notification. The increase in ransomware with a dwell time of just four days in the Americas and EMEA (nine days in APAC) will account for some of that decline in the dwell time of externally notified intrusions without any indication of an improvement in external detection and notification.
“Conversely,” says the report, “incidents which were identified internally saw a lengthening of global median dwell time from 12 to 18 days.” This could imply that attackers are improving their ability to hide faster than defenders are improving their ability to detect.
Nevertheless, from Scott Runnells’ perspective (technical director at Mandiant and a specialist in incident response), the shorter the dwell time, the greater the likelihood of finding attacker artifacts that can assist in the response. “As the dwell time increases,” he told SecurityWeek, “we start to have gaps in the data we can analyze. Some of the more critical data falls out of the records. The shorter the dwell time, the more we can learn about the attacker.”
Overall, Mandiant detected a 2% decrease in ransomware incidents. This comprised an increase in APAC, but a larger decrease in the Americas. Mandiant suggests the decrease may have been caused by “an increase in law enforcement action taken against financially motivated actors leading to arrests, takedown of servers and seizure of extorted funds.” It does not, however, see this as necessarily a permanent decline in the ransomware threat, adding, “With low risks and barrier to entry and high rewards, we see this as an ongoing threat posing a risk to every organization.”
The primary initial infection vector across all Mandiant’s investigations is an exploit, at 37% (eight points higher than in 2020). Supply chain compromises were the second most frequent at 17% (up from less than 1% in 2020). Eighty-six percent of the supply chain breaches were related to SolarWinds and SUNBURST.
A further 14% of intrusions involved an initial infection vector related to a prior compromise, including handoffs from one group to another. One positive finding, however, is that there were far fewer intrusions related to phishing (down from 23% in 2020 to just 11% in 2021). “This speaks to organizations’ ability to better detect and block phishing emails as well as enhanced security training of employees to recognize and report phishing attempts,” says Mandiant.
“Twenty-five percent of targeted environments had more than one distinct threat group in residence,” Runnels told SecurityWeek. “This is down four points from last year, but still within an increasing trend line. This could be a mix of groups working in concert: group A gains access and then sells that access to group B, which is something we often see with FIN12.”
But Mandiant also sees high value targets being compromised by multiple groups. “This usually happens when new vulnerabilities are published, and the rush to patch is often outpaced by the criminal rush to identify and subsequently compromise,” he continued. “We saw this with Log4j, and ProxyShell — and I expect we shall continue to see this so long as this patch/exploit cadence between defenders and attackers continues.” He noted that it is not uncommon for Mandiant to be brought in to investigate a very noisy coin miner whose presence may be detected by the security team, only to find another more stealthy actor also in residence.
The report notes that Mandiant is monitoring 1,100 new activity clusters this year. This should not be confused with 1,100 new threat groups, even though the firm is monitoring more threat groups (and more malware) than last year. An activity cluster is just an indication of malicious activity that cannot yet be associated with any known group. “As these clusters start to strengthen and grow,” said Runnels, “it is not uncommon to recognize overlaps that might indicate they may be the same new group or an existing group.”
Until Mandiant has enough information to say with 100% certainty that this cluster and this cluster are caused by the same actor, it doesn’t make any assumptions. “Our intel team is very hesitant to ever walk back an attribution, so a lot of new activity is just described as a cluster. But it could be an existing group that has changed the TTPs that it uses.”
He used China as an example. “China went quiet for a couple of years and then re-emerged with what looks like maybe a reorganization or simply new tools and techniques — but some of those tools are suggesting there may be a new centralized quartermaster. So, it’s difficult to say there are more groups or just more new clusters of activity because perhaps the old actor landed in a different environment and had to use new or different techniques.”
The TTPs used by attackers brings us to MITRE. “We have started to tie our findings of an attack to the MITRE framework,” said Runnels. “Whenever I see a draft of inference, I go to that section of MITRE that breaks down the techniques. The ten most frequent techniques should serve as a defender and investigator prioritization list.” He doesn’t see this as sufficient for a comprehensive defense and investigation, but as an important part of the process.
“Defenders ought to ensure they have visibility into the artifacts that will be produced by those techniques. For example, we report that just shy of 45% of incidents that Mandiant investigated leveraged command and script interpreters — the most common being PowerShell.”
This probably won’t surprise any experienced defender or investigator, but Runnels says, “It should raise questions about your environment and your security stance. Do I have the visibility into those artifacts, and how long do I retain those artifacts? A good example is if a PowerShell script gets executed on an endpoint, do I log the execution of that, and do I log the content of the script? Do I protect the log from being deleted by attackers? Do we have an EDR solution that supports this — that’s very important data for security and support teams, and investigators.”
The MITRE framework is now bolstered by the results of Mandiant’s intrusion investigations – and they’re all laid out in the 2022 M-Trends Report.
“Several trends from previous years continued into 2021,” concludes Sandra Joyce, EVP at Mandiant Intelligence. “Mandiant encountered more threat groups than any previous period, to include newly discovered groups. In a parallel trend, in this period we began tracking more new malware families than ever before. Overall, this speaks to a threat landscape that continues to trend upward in volume and threat diversity. We also continue to witness financial gain be a primary motivation for observed attackers, as case studies this year on FIN12 and FIN13 highlight. If we pivot to the defender perspective, we see several improvements despite an incredibly challenging threat landscape.”
Editor’s Note: M-Trends is one of a few reports that SecurityWeek considers required reading, as the data is compiled from actual incidents, not vendor surveys using questions crafted to skew results in favor of selling something. In other words, this is real-world data with details discovered during the process of investigating incidents across hundreds of clients, many from high profile organizations.