Faster threat detection, but agencies warn of more to come

Published on the 28/04/2022 | Written by Heather Wright

New warning from Five Eyes as new reports paint mixed picture for A/NZ threatscape…

Threat detection has improved in Asia Pacific in the past year according to a new report, but local cyber security agencies are warning A/NZ organisations to step up their game, with fresh warnings about the potential for fallout from Russia’s Ukraine invasion.

The 2022 M-Trends report, from cybersecurity company Mandiant – previously part of FireEye and now the target of a US$5.4 billion acquisition plan by Google currently being looked at by regulators – saw median dwell time, measuring the number of days a cyberattack remains undetected, plummet from 76 days to 21 days across APAC.

“Organisations are detecting intrusions quicker and external entities are notifying organisations of intrusions faster.”

That regional drop helped take the global median dwell time down from 24 days to 21 days, with the Americas continuing to log a better than average 17 days. Thirty six percent of intrusions in APAC, and 37 percent globally, were discovered in one week or less. On the flip side, 13 percent of APAC intrusions had dwell times exceeding a whopping three years. 

“Organisations in APAC have impressive detection capabilities. However, intrusions that go undetected initially can remain undetected, resulting in extensive dwell times when they are ultimately detected.”

The reductions seen are partly driven by increased numbers of companies using external specialists to manage cybersecurity, along with better threat information sharing, Mandiant says.

“In APAC organisations are detecting intrusions quicker and external entities are notifying organisations of intrusions faster,” the report notes.

“Intrusions in APAC that were detected internally had a median dwell time of 22 days in 2021, compared to 33 days in 2020. The median dwell time for intrusions with an external notification source was 16 days in 2021 compared to 137 days in 2020.”

The M-Trends report, which covers the 15 months ending December 31, 2021, notes that in a reversal of 2020 findings, 76 percent of Asia Pacific intrusions were notified by an external entity – though it should also be noted that in Mandiant parlance notifications by external entities also includes where compromised organisations are notified of an incident via and extortion note. A year early just 48 percent of intrusions were identified externally.

It’s not all good news though, with Steve Ledzian, Mandiant Asia Pacific and Japan VP and CTO, noting APAC saw ransomware triple to account for 38 percent of Mandiant investigations, bucking a global trend which saw other regions record modest decreases in ransomware investigations. There’s no mention in the report of how many ‘external notifications’ came via ransomware demands. However, the report does note that median dwell time for ransomware-related intrusions is much lower, at nine days – versus just five globally – compared to 38 days for non-ransomware intrusions. 

This week Sophos reported that 80 percent of Australian organisations surveyed for its annual State of Ransomware report were hit by ransomware in 2021, up from 45 percent in 2020. Seventy-nine percent of attacks on Australian organisations resulted in data being encrypted, notably higher than the global average of 65 percent.

As to the attack vectors seen by Mandiant, the company reports a ‘significant increase’ in the number of ransomware attacks harnessing virtualisation infrastructure. 

By accessing virtualisation platforms, ransomware attackers can rapidly encrypt many virtual machines without needing to directly login or deploy encryptors within each machine, the report says.

“Throughout 2021, Mandiant observed VMware vSphere and ESXi platforms being targeted by multiple threat actors, including those associated with Hive, Conti, Blackcat and DarkSide.”

Among the most effective mitigations are network segmentation, placing the management software on an isolated network. Privileged access management can also be useful.

The report comes as a joint cybersecurity advisory from Five Eyes cybersecurity agencies, including the Australian Cyber Security Centre and New Zealand’s Government Communications Security Bureau, warns local organisations of the potential for increased malicious cyber activity on the back of Russia’s invasion of Ukraine.

That advisory warns that evolving intelligence indicates that the Russian government is exploring options for potential attacks, urging organisations to ‘immediately’ protect against Russian state-sponsored and criminal cyber threats by patching all systems, enforcing MFA, securing and monitoring remote desktop protocol and other risky services and upping end-user awareness and training. 

“Remote Desktop Protocol (RDP) exploitation is one of the top initial infection vectors for ransomware,” the advisory notes echoing the Mandiant report which noted RDP was a top targeted technology in 2021.

The Five Eyes advisory says organisations should limit access to resources over internal networks, restricting RDP and using virtual desktop infrastructure. If RDP is required externally, use of a BPN or other means to authenticate and secure the connection before connecting to internal devices is advocated., along with careful monitoring of remote access/RDP logs, enforcing account lockouts after a specified number of attempts to block brute force attempts and disabling unused remote access ports.

Russian hacking groups have also been pledging support for the Russian government with some threatening to conduct cyber operations against countries and organisations providing material to support Ukraine.

“US, Australian, Canadian, New Zealand and UK cyber security authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats – including destructive malware, ransomware, DDoS attacks and cyber espionage – by hardening their cyber defences and performing due diligence in identifying indicators of malicious activity,” the advisory says

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...