FireEye 2019 Mandiant M-Trends Report Finds Organizations Across the Globe Are Faster to Identify Attacker Activity Compared to Previous Year
Report also uncovers evolving threat actor behavior along with hidden cyber risks during mergers & acquisitions
Key findings include:
- Dwell time decreasing as organizations improve detection capabilities – In 2017, the median duration between the start of an intrusion and the identification by an internal team was 57.5 days. In 2018 this duration decreased to 50.5 days. While organizations are getting better and faster at discovering breaches internally, rather than being notified by an outside source such as law enforcement, there is also a rise in disruptive, ransom, or otherwise immediately visible attacks. The global median dwell time before any detection – external or internal – has also decreased by almost one month – going from 101 days in 2017 to 78 days in 2018. The same measurement was as high as 416 days back in 2011.
- Nation-state threat actors are continuing to evolve and change
– Through ongoing tracking of threat actors from
North Korea, Russia, China, Iran, and other countries, FireEyehas observed these actors continually enhancing their capabilities and changing their targets in alignment with their political and economic agendas. Significant investments have provided these actors with more sophisticated tactics, tools, and procedures, with some becoming more aggressive, and others better at hiding and staying persistent for longer periods of time.
- Attackers are becoming increasingly persistent –
FireEyedata provides evidence that organizations which have been victims of a targeted compromise are likely to be targeted again. Global data from 2018 found that 64 percent of all FireEyemanaged detection and response customers who were previously Mandiant incident response clients were targeted again in the past 19 months by the same or similarly motivated attack group, up from 56 percent in 2017.
- Many attack vectors used to get to targets, including M&A activity –Attacker activity touches countries across the globe. Among them,
FireEyeobserved an increase in compromises through phishing attacks during mergers & acquisitions (M&A) activity. Attackers are also targeting data in the cloud, including cloud providers, telecoms, and other service providers, in addition to re-targeting past victim organizations.
A full copy of the 10th annual Mandiant M-Trends report is available for download at: https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html.