A lot has changed over the past ten years. In the past, when it came to putting together a big picture view of cyberattacks, threat vectors, and other key pieces of information vital to the defense of critical networks and information, federal government security teams were largely left to their own devices. Since then, however, several resources are published annually that detail the most important trends in cyberattacks and how they affect various sectors of the economy, including the public sector.
The FireEye M-Trends Report is one of these resources. The recently published 2019 edition shared some important insights based on data gathered by the organization from around the world. A key development noted by the investigators is that governments are no longer downplaying the impact of cyberattacks. Instead, there’s been a large uptick in the number of indictments made by governments, including the U.S. As the report states, this isn’t an operational change, but a move toward greater transparency and awareness.
The report also pointed out that bad actors go where the data is. So as more organizations move their systems and data to the cloud, attacks on those resources — cloud providers, telecoms, and other organizations like government agencies with access to large amounts of data — are increasing as well.
Trend: Detection Time is Down
Significantly, the report shows that organizations worldwide are detecting issues much faster than in years past.
- In 2011, the “median dwell time,” or time from evidence of first comprise to detection, was a depressing 416 days, but in 2018 this number dropped to 78 days. Given that it only takes bad actors a few days within a network, it’s still taking a long time. But this improvement over the previous year’s 101-day median is encouraging.
- While this trend reflects progress in technology, it’s also due to an increase in in ransomware and cryptominer attacks, which are detected more quickly.
In the Americas, the numbers were even more telling:
- Median dwell time decreased to 71 days from the previous year‘s 75.5 days.
- This downward trend stems from growth in threats that include ransomware and business email. The report states that these “tend to have both immediate impact and immediate detection.”
- The investigators also noted that the decrease in dwell time mapped to better internal capabilities and improved visibility across all assets.
Trend: Repeat offenders
The report noted that if an organization had been targeted in the past, they were more likely to be attacked again. Looking at their own customers, the FireEye investigators saw a YOY increase in the percentage of “retargeted” organizations, from 56% to 64%.
Trend: APTs Play the Long Game
As it has for 10 years, the M-Trends Report identifies Advanced Persistent Threats (APTs) by bad actors worldwide. This year, the report adds four previously tracked offenders to their list of APT or FIN groups. The investigators use APT numbers to identify state actors performing espionage and FIN numbers for cyber-criminals mostly focused on financial assaults. However, nation-states may be using economic means to achieve political goals.
One thing these APT threat actors have in common is that they tend to stalk their victims for months or years, as opposed to trying to reap immediate results. They are also likely to stick with a target, looking for ways to dodge removal attempts and also revisiting the same organization, even if detected. On the commercial side, the report noted that phishing attempts by APT attackers were particularly effective during M&A activity, and the investigators expect that email-borne attacks to remain a consistent threat.
Practical Advice for a Strong Defense
The M-Trends Report gives multiple recommendations agencies can take to limit their exposure and the effects of any breaches that may occur. Premediation, that is, “proactively implementing common remediation-focused initiatives,” can give agencies and commercial firms a decided advantage across the enterprise. The Report outlines specific steps in great detail – from account hardening and network segmentation to active directory and endpoint protection – that any organization can use as a map.
But a key recommendation – one echoed by cybersecurity experts across the board – is to not only put improved security processes and tools in place while fostering a security mindset among users, but to hold realistic drills. Tabletop scenarios that mimic actual attacks can –and should – include representatives from across the organization.
In the same way the first responders and warfighters “train like they fight,” exercises that show what does and doesn’t work can highlight the good and bad of an incident response plan and give agencies a measurable advantage when the real thing happens.
Ready to learn more? You can download the 2019 FireEye M-Trends Report here.