Executive Summary
Over the past 10 years, we covered many different topics in our M-Trends® reports, including a primer on
the exploitation life cycle, how attackers were hiding their activities,
malware trends and case studies providing technical details into many of the
investigations we performed.
On the surface, not much has changed over the past 10 years. 2018
was much like 2017, and 2017 like the preceding years. We continue to see large
impactful incidents, though fewer high-profile public disclosures. Extortion
cases are on the rise, assisted by cryptocurrency and other forms of
non-attributable payment. Cryptocurrencies are also directly targeted via
wallets, payment systems and miners.
The significant trends or shifts we saw in 2018 were:
- A significant increase in public attribution
performed by governments. Recent years have seen a significant increase in
private sector attribution of attack activity, but the past year saw a
significant number of attacks publicly attributed by way of indictments from
the U.S., U.K., Netherlands and Germany. Some of these were assisted by data
from private sector companies such as FireEye. Governments have not changed
their operational rules of engagement, but they are combating threats publicly
through indictments.
- As more and more customers move to software
as a service and cloud, attackers are following the data. Attacks against cloud
providers, telecoms, and other organizations with access to large amounts of
data have increased.
M-Trends 2019
looks at some of the latest trends revealed through FireEye incident response investigations
by FireEye Mandiant. These include evolving APT activity in various regions,
phishing risks during mergers and acquisitions, and some defensive trends that
we consider best practices.
We also answer the question that everyone asks: As an industry,
are we getting better at detecting threat actors? We are quite pleased to
announce that the answer is a big yes. From October 1, 2017, to September 30,
2018, the global median dwell time was 78 days. That means attackers are operating
for just under three months, on average, before they are detected. That’s
roughly a quarter of the global median dwell time of 101 days in last year’s
report—a modest improvement.
It wouldn’t be M-Trends
if we didn’t include a variety of case studies to demonstrate exactly what we
saw in the field that enabled us to provide the information in this report.
This year, we show how early identification is key by diving into an incident
involving attacker activity now attributed to the threat group TEMP.Demon. We also
discuss an incident at a Southeast Asia-based international telecommunications
company that started with an extortion email sent from the CEO’s work account
by an attacker.
When we launched our first M-Trends report 10 years ago, we had one primary goal—and that hasn’t changed: to arm security teams with the knowledge they need to defend against today’s most often used cyber attacks, as well as lesser seen and emerging threats.
Full report: https://content.fireeye.com/m-trends