FireEye has announced the release of its annual M-Trends report, which found that attackers were present in EMEA organisations’ networks a median of 175 days before being detected in 2017. This is an increase of almost 40 percent from the same measurement the year before which stood at 106 days. The report is based on information gathered during investigations conducted by FireEye’s security analysts in 2017 and uncovers emerging trends and tactics that threat actors used to compromise organisations.
The key findings include:
The median dwell time (the duration a threat actor has in an organisation’s environment before they are detected) stood at 175 days. The median dwell time globally is 101 days, so EMEA organisations were 2.5 months slower to respond than the global median. However, progress appears to have been made with organizations discovering breaches internally, rather than being notified by law enforcement or another outside source. EMEA median dwell time for internal detection was 24.5 days, down from 83 days in last year’s report. The global statistic for internal detection is 57.5 days.
In 2017, 24 percent of Mandiant investigations in EMEA involved organisations from the finance sector. This made finance the most targeted sector ahead of government which represented 18 percent. Business and professional services was the third most targeted sector, involved in 12 percent of investigations.
FireEye data provides evidence that organizations which have been victims of a targeted compromise are likely to be targeted again. Global data from the past 19 months found that 56 percent of all FireEye managed detection and response customers who came out of Mandiant incident response support were targeted again by the same or a similarly motivated attack group. Findings also show that at least 49 percent of customers that had experienced at least one significant attack were successfully attacked again within the next year. In EMEA specifically, 40 percent of customers who had been affected by a serious breach had multiple significant attacks from multiple groups throughout the year.
The demand for skilled cyber security personnel is continuing to rapidly outpace supply, adding to the existing skills shortage. Industry research data by the National Initiative for Cybersecurity Education (NICE), and insights gained through FireEye engagements throughout 2017, point to the deficit getting worse over the next five years. These findings show that the main areas affected by the skills gap are visibility & detection and incident response. In both of these disciplines, a lack of expertise is causing a potentially costly delay in dealing with malicious activity.
“It’s disappointing to see median dwell times increasing significantly in EMEA organisations, particularly with the GDPR deadline just around the corner,” said Stuart McKenzie, vice president of Mandiant, FireEye. “However, on the positive side, we’ve seen a growing number of historic threats uncovered this year that have been active for several hundred days. Detecting these long-lasting attacks is obviously a positive development, but it increases the dwell time statistic.”