As detection times are reducing across the board, threat groups are improving their craft and are prioritizing speed as the key ingredient in ransomware attacks.
According to security vendor Mandiant’s M-Trends 2022 Report, the good news is the average dwell time for threat actors before being detected is down from 28 days to only 21 days. This does mean detection is getting better, but the bad news they’re still on your network for 21 days before being found out.
But it gets worse.
Mandiant focuses in on a threat group they call FIN12 – a “financially motivated threat group behind prolific RYUK ransomware attacks dating to at least October 2018.” Mandiant believes they are relying on initial access brokers to provide entrée into chosen victim networks. What makes this threat group so dangerous is that their average dwell time from initial access to encryption was only 5 days back in the first half of 2020. Now it’s only two days.
Put this all together and your average organization’s detection time is about ten times too slow for the likes of FIN12.
But your focus really shouldn’t be on FIN12; it should be on the initial attack partners that are likely being tasked to gain access to select victim organizations. Phishing remains the number one initial attack vector, shifting your focus from “what do I do about FIN12?” to “how do I stop phishing attacks that are providing FIN12 the needed foothold?”
The most impactful way to stop phishing attacks is through Security Awareness Training that educates users on social engineering techniques used, helping users to vigilantly spot suspicious email content before malicious code can be run to secure the initial access FIN12 needs.
Now, not all cybercriminal groups are FIN12. But you can believe that other groups are going to attempt to replicate FIN12’s successes by using the same model, making phishing a primary concern for your cybersecurity strategy.
Here's how it works:
