How to Use Incident Response Reporting to Drive Cyber Security Decisions

In its Q1-2019 Forrester Wave™ report, Forrester Research recognized FireEye as the undisputed industry leader in the Cybersecurity Incident Response Services category. Our unique synthesis of digital forensics, human intelligence (HUMINT) and a global machine learning network generates innovations such as dwell time, a critical global measure of the state of cyber security.

Dwell time is calculated as the number of days an attacker is present on a victim network, from first evidence of compromise to detection.

FireEye first introduced the concept of dwell time in the 2011 edition of its annual M-Trends report, which summarizes learnings during the year, including how adversaries have evolved, what they target, and how they attack, as well as their tools, tactics and procedures (TTPs). The report helps readers better anticipate and reduce the impact of inevitable attacks.

Dwell time is a great measure of industry progress. In 2011, the global median dwell time was 416 days. Our data indicated that the average attacker had access to a network or system for longer than a year before they were detected.

But times have changed. The global median dwell time in 2018 is 78 days, down from 101 days in 2017. Now the average attacker is going undetected on a network or system for less than three months. The reduced dwell time is evidence that organizations are continuing to improve their detection capabilities, but having an attacker in an environment for more than a month means there is room for improvement.

M-Trends 2019 is packed with more than just statistics:

  • APT Groups: We provide details on four threat groups formally promoted to APT groups in 2018. APT37 and APT38 appear to be operating in support of North Korea, thought they are not necessarily connected. APT39 is an Iranian espionage group, and APT40 is a China-nexus espionage actor.
  • Case Studies: We show the value of early identification through an incident involving attacker activity now attributed to the threat group TEMP.Demon. We also cover an incident at a Southeast Asia-based international telecommunications company that started with an extortion email sent from the CEO’s work account by an attacker.
  • Defensive Trends: We dive into a practice we call “premediation,” which refers to the proactive implementation of security configurations and architectural enhancements that are commonly part of remediation efforts. Programmatic changes to improve incident response and remediation are also discussed.

For full details, read the 10th anniversary M-Trends 2019 report.

You can also watch our video retrospective and attend our upcoming webinar.

This blog was brought to you by our partner, FireEye. Don’t miss FireEye’s presentation – From Noise to Answers: Driving Outcomes With A Threat Focused Approach – on Day 1 at 3:00pm in Grandroom A.