m-trends 2019 infographic part 1 - fireeye · 12/19/2018  · global americas emea apac dwell time...

NEW APT GROUPS In 2018, FireEye promoted four attackers from previously tracked TEMP groups to advanced persistent threat (APT) groups.

ONCE A TARGET,ALWAYS A TARGET

In 2018, the number of retargeted customers continued to climb.1 If you’ve been breached once, you’re much more likely to be targeted again and su�er another breach.

100

80

60

40

20

0

RETARGETED INCIDENT RESPONSE CLIENTS BY REGION

2017

56%

44%47%

91%

2018

64% 63%57%

78%

EMEA APACGLOBAL AMERICAS

DWELL TIME Organizations are getting better at detecting breaches quickly. Worldwide, median dwell times have decreased significantly, from 416 days in 2011 to just 78 days in 2018.

While median dwell times have decreased globally and in the Americas, dwell times increased in APAC and EMEA, where security teams are still uncovering historical attacks.

GLOBAL MEDIAN DWELL TIME

600

500

400

300

200

100

020182017

YEARS

DWEL

L TI

ME

(DAY

S)

Dwell time is the number of days an attacker is present on a victim network, from first evidence of compromise to detection.

In 2018, 31% of the compromises we investigated had dwell times of 30 days or less, compared to 28% in 2017. This may be due to an increase in financially motivated compromises such as ransomware, which tend to have an immediate impact on targeted organizations—but are detected immediately as well.

GLOBAL DWELL TIME DISTRIBUTION

EMEA APACGLOBAL AMERICAS

10176

175

2016

99 99106

172

498

78 71

177204

DWELL TIME (DAYS)

0-7

201-3

008-

1415

-30

31-4

5

46-60

61-75

76-9

0

91-150

151-2

00

901-1000

301-4

00

401-500

501-6

00

601-700

2000+

701-8

00

801-9

00

1000-2

000

20

15

10

5

0

15%

7%

9%7% 7%

10%

6% 6%7%

3%1%

4%

2% 1%0 1%

7%

4%

2%

INVE

STIG

ATIO

NS IN

201

8 (P

ERCE

NTAG

E)IN

CIDE

NT R

ESPO

NSE

CLIE

NTS

(PER

CENT

AGE)

11%

HEALTH EDUCATIONFINANCE

FINANCE HEALTH EDUCATION

13%

18%

TOP 3 RETARGETED INDUSTRIES

20

15

10

5

0

PERC

ENTA

GE

BREACH NOTIFICATION SOURCES

Since 2015, organizations have gotten better at discovering compromises on their own, as opposed to being notified by external sources.

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

02011 2012 2013 2014 2015 2016 2017 2018

EXTERNAL INTERNAL

94%

63%67% 69%

53%

47%

38%41%

6%

37%33% 31%

47%

53%

62%59%

DATE NAME: DECEMBER 19, 2018NAME: APT40 ORIGIN OR SPONSORING NATION: CHINA

SOUTHEAST ASIA

PRIMARY INDUSTRY TARGETS

AVIATION

CHEMICALS

DEFENSEEDUCATION

PRIMARY REGIONAL TARGET

SOUTHEAST ASIA GOVERNMENT

HIGH-TECH

MARITIMERESEARCH

APT40

12982342982639874293847293847293847293847293847293874298374298347293847293568420394820394802936293874923874293879283473847293847293847987383872384798729APT39

DATE NAME: DECEMBER 12, 2018NAME: APT39 ORIGIN OR SPONSORING NATION: IRAN

MIDDLE EAST

IRAN

PRIMARY INDUSTRY TARGETS

HIGH-TECH

TELECOMMUNICATIONS

TRANSPORTATIONTRAVEL

PRIMARY REGIONAL TARGET

MIDDLE EAST

CHINA

3427

3894

7230

9483

0293

84

34273

89472309483029384

34273894723094830293843427389472309483029384

342738947230948302938434273894723094

83029384

APT38

DATE NAME: OCTOBER 2, 2018NAME: APT38 ORIGIN OR SPONSORING NATION: NORTH KOREA

NORTH KOREA

INTER-BANK FINANCIAL SYSTEMS

FINANCIAL INSTITUTIONS

PRIMARY INDUSTRY TARGETSPRIMARY REGIONAL TARGET

ECONOMICALLY DEVELOPING REGIONS

APT37

DATE NAME: FEBRUARY 19, 2018NAME: APT37 ORIGIN OR SPONSORING NATION: NORTH KOREA

MIDDLE EAST

NORTH KOREA

HEALTH CARE ENTITIES

ELECTRONICS

MANUFACTURING

PRIMARY INDUSTRY TARGETS

AUTOMOTIVE

CHEMICALS

AEROSPACE

PRIMARY REGIONAL TARGET

JAPAN

MIDDLE EAST

SOUTH KOREAVIETNAM

SOUTH KOREA

JAPAN

JAPAN

ECONOMICALLY DEVELOPING REGIONS

© 2019 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. F-EXT-IG-US-EN-000187-01

1 We define “retargeted customers” as FireEye managed detection and response customers who were previously Mandiant incident response clients and were targets of one significant attack in the past 19 months by the same or similarly motivated attack group.

Download the full M-Trends 2019 report >

M-TRENDS 2019A FIREEYE MANDIANT SPECIAL REPORT