Global Attacker Dwell Time Drops to Just 24 Days

Organizations are spotting attackers inside their networks faster than ever before, although the figure for “dwell time” may have been influenced by a surge in ransomware attacks, according to Mandiant.

The FireEye-owned forensic specialist’s M-Trends 2021 report was compiled from investigations of targeted attack activity between October 1, 2019 and September 30, 2020.

It revealed that 59% of organizations detected attackers within their own environments over the period, a 12-percentage point increase on the previous year.

The speed at which they did so also increased: dwell time for attackers inside corporate networks fell below a month for the first time in the report’s history, with the median global figure now at 24 days.

This is in stark contrast to the 416 days it took firms when the report was first published in 2011. It’s also more than twice as fast as the previous year (56 days), and shows that detection and response is moving in the right direction.

For incidents notified to firms externally, the figure was slightly higher (73 days) and for internally detected attacks it was lower (12 days).

In the Americas, dwell time dropped from 60 days in 2019 to just 17 days last year, while in APAC (76 days) and EMEA (66 days) the figure increased slightly.

However, a major contributing factor to the global reduction in dwell time may be the proliferation of ransomware attacks, which usually take place over a shorter time frame than traditional cyber-espionage or data theft operations.

“A major factor contributing to the increased proportion of incidents with dwell times of 30 days or fewer is the continued surge in the proportion of investigations that involved ransomware, which rose to 25% in 2020 from 14% in 2019,” the report noted.

“Of these ransomware intrusions, 78% had dwell times of 30 days or fewer compared to 44% of non-ransomware intrusions.”

Mandiant explained that ransomware actors are using an increasingly wide range of tactics to force payment from their victims. These include data theft and exposure on “name and shame” websites, harassment of employees and business partners, persuading journalists to write stories about affected companies and even launching denial of service attacks.

Leave a Reply