Global media dwell time was down, but number of active hacker groups was up. The tug of war rages on…

As retrospective reports on 2019 cyberactivity are released, the picture of cumulative trends and hacker agenda becomes clearer.

For example, in 2019:

  • Organisations found and contained attacks faster 
    The global median dwell time, defined as the duration between the start of a cyber intrusion and it being identified, was 56 days. This is 28% lower than the 78-day median from 2018. Experts from FireEye Mandiant attribute this trend to organisations developing their detection programs, as well as changes in attacker behavior patterns.
Fig. 1 Median Dwell Time
  • Hundreds of new malware families had been identified
    New reports detail how, of all the malware families observed over the years, 41% had never been seen until 2019. Furthermore, 70% of the samples identified belonged to one of the five most frequently seen families, which are based on open source tools with active development. These points demonstrate that not only are malware authors innovating; cybercriminals are also outsourcing tasks to monetise operations faster.
Fig. 2 41% unseen malware families over the years were seen this 2019
Fig. 3 Over 70% of the malware variants belonged to just five malware families
  • Increased monetization means more ransomware attacks 
    Of the attacks that FireEye Mandiant professionals responded to, the greatest majority (29%) were likely motivated by direct financial gain. This included extortion, ransom, card theft, and illicit transfers. The second most common (22%) was data theft likely in support of intellectual property or espionage end goals.  

Overall, reports from FireEye Mandiant now indicate there has been a 12% decrease in the proportion of compromises detected internally, year-over-year. This comes after a steady increase of internal detections since 2011. 

Thought-provoking conclusions

The report findings indicate that, while the threat landscape is evolving, new is not replacing old.  Although we have observed new malware families, many of these attackers are the usual suspects we have seen over the years using familiar types of attack techniques with malware based on a handful of known malware families. And these threats and activities never stop. There are more active groups now than ever before, with significant advanced persistent threats (APT) and FIN activity. These groups are using a combination of custom intrusion tools and publicly available tools, typically in the same parts of the attacker lifecycle.

While targeted industries and overall motivations have remained consistent, we are seeing a marked expansion of threat actor goals, including new ways to monetise intrusions and overall diversification in threat activity. This requires incident responders to be prepared for more scenarios, both familiar and unfamiliar.

Perhaps most importantly is the good news: attacks are being detected and responded to more quickly. The global median dwell time for 2019 was 56 days—less than two months! Also of note: more victims were notified by an outside party, reversing a four-year trend where more organisations were identifying compromises on their own.

Many of the statistics in the report show that both the industry and organisations are getting better at cybersecurity, but there is no single reason why. Perhaps more vendors and more awareness are leading to better visibility across the security spectrum. Or organisations are simply investing more in their cybersecurity programs?