With security awareness increasing and stronger tools available, organizations are getting better at discovering data breaches on their own, a new report found.
Over 60 percent of intrusions in 2017 ended up detected internally, according to a report by Mandiant.
The global median time for internal detection dropped to 57.5 days in 2017, compared to 80 days in the previous year, according to Mandiant’s M-Trends report for 2018.
Of the breaches investigated by Mandiant last year, 62 percent were discovered internally, up from 53 percent in 2016.
On the other hand, it still took roughly the same amount of time for organizations to learn their systems had been compromised.
The global median dwell time in 2017 — the median time from the first evidence of a hack to detection — was 101 days, compared to 99 days in 2016.
Companies in the Americas had the shortest median dwell time (75.5 days), while organizations in the APAC region had the longest dwell time (nearly 500 days).
Data collected by Mandiant in 2013 showed more than one-third of organizations had been attacked again after the initial incident had been remediated. More recent data from the past 19 months, showed 56 percent of Mandiant customers were targeted again by either the same group or one with similar motivation.
In cases where investigators discovered at least one type of significant activity (e.g. compromised accounts, data theft, lateral movement), the targeted organization was successfully attacked again within one year. Organizations that experienced more than one type of significant activity were attacked by more than one threat actor.
Again, the highest percentage of companies attacked multiple times and by multiple threat groups was in the APAC region – more than double compared to the Americas and the EMEA region.
When it comes to the most targeted industries, companies in the financial and high-tech sectors recorded the highest number of significant attacks, while the high-tech, telecommunications and education sectors were hit by the highest number of different hacker groups.
Last year, FireEye assigned names to four state-sponsored threat groups, including the Vietnam-linked APT32 (OceanLotus), and the Iran-linked APT33, APT34 (OilRig), and APT35 (NewsBeef, Newscaster and Charming Kitten).
“For some time, these (Iranian) threat actors were primarily a nuisance consisting of a loose collective of patriotic hackers who conducted web defacements, distributed denial of service (DDoS) campaigns and occasional destructive malware attacks. Since 2010, post-Stuxnet, Iran has increased its cyber espionage capabilities and is now operating at a pace and scale consistent with other nation- state sponsored APT groups,” Mandiant said in its report. “Iranian threat actors have compromised a variety of organizations, but recently they have expanded their efforts in a way that previously seemed beyond their grasp. Today they leverage strategic web compromises (SWC) to ensnare more victims, and to concurrently maintain persistence across multiple organizations for months and sometimes years.”