Cybersecurity: Victims are spotting cyberattacks much more quickly - but there's a catch

Cyber criminals are spending less time inside networks before they're discovered. But that's partly because when hackers deploy ransomware, they don't stay hidden for long.
Written by Danny Palmer, Senior Writer

The amount of time cyber criminals are spending inside compromised networks is dropping. But while that might sound like a positive development, one reason hackers are spending less time inside networks is because of the surge in ransomware attacks.

Researchers at cybersecurity company FireEye Mandiant analysed hundreds of cyber incidents and found that the global median dwell time – the duration between the start of a security intrusion and when it's identified – has dropped to below a month for the first time, standing at 24 days.

According to the M-Trends 2021 annual threat report, that means incidents are being identified twice as quickly as they were last year when the average dwell time was 56 days – and much more quickly than they were a decade ago, when it often took over a year for organisations to realise that cyber criminals had infiltrated the network.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

While some of this reduction in dwell time is thanks to better detection and response capabilities from organisations, the rise in ransomware has also played a role.

Ransomware attacks have become an increasingly dangerous cybersecurity issue, with cyber criminals infiltrating networks, compromising all they can with file-encrypting malware and then demanding a ransom payment – most commonly in Bitcoin – in exchange for restoring the network.

The attacks are highly lucrative for cyber criminals, but unlike most other forms of cyberttack, ransomware doesn't remain under the radar – victims of ransomware attacks know they've become a victim when their network is suddenly encrypted and a ransom note is left by the attackers.

One of the key advantages of ransomware attacks for cyber criminals is that they have the potential to make them a lot of money in a relatively short space of time. Once they've compromised all the required assets on the network, there's no point waiting around, so the criminals will execute the ransomware attack as quickly as possible.

As long as ransomware attacks remain successful, there's no reason to believe cyber criminals will stop launching them against organisations with vulnerable networks.

"The ransomware expansion demonstrates it proves valuable to attackers. Put simply, attackers will operate in ways that produce impacts for their motivations," Steven Stone, senior director of advanced practices at Mandiant, told ZDNet.

"More and more attackers are using ransomware for a wider variety of motivations. We expect this diversity to continue over time and provide for more challenging intrusions in 2021."

SEE: This company was hit by ransomware. Here's what they did next, and why they didn't pay up

Ransomware isn't the only threat organisations face: cyber criminals will, for example, continue attempting to compromise networks in phishing and malware campaigns.

While being able to quickly detect attacks inside the network is better than not detecting them at all, the best way to protect the organisation from cyber threats is to detect or prevent them before they've even had a chance to compromise the network.
To help this, the FireEye Mandiant report recommends security fundamentals including vulnerability and patch management, so that cyberattacks can't take advantage of known vulnerabilities in the networks.


Editorial standards