m-trends 2019 infographic part 1 - fireeye · 12/19/2018  · global americas emea apac dwell time...

1
NEW APT GROUPS In 2018, FireEye promoted four attackers from previously tracked TEMP groups to advanced persistent threat (APT) groups. ONCE A TARGET, ALWAYS A TARGET In 2018, the number of retargeted customers continued to climb. 1 If you’ve been breached once, you’re much more likely to be targeted again and suffer another breach. 100 80 60 40 20 0 RETARGETED INCIDENT RESPONSE CLIENTS BY REGION 2017 56% 44% 47% 91% 2018 64% 63% 57% 78% EMEA APAC GLOBAL AMERICAS DWELL TIME Organizations are getting better at detecting breaches quickly. Worldwide, median dwell times have decreased significantly, from 416 days in 2011 to just 78 days in 2018. While median dwell times have decreased globally and in the Americas, dwell times increased in APAC and EMEA, where security teams are still uncovering historical attacks. GLOBAL MEDIAN DWELL TIME 600 500 400 300 200 100 0 2018 2017 YEARS DWELL TIME (DAYS) Dwell time is the number of days an attacker is present on a victim network, from first evidence of compromise to detection. In 2018, 31% of the compromises we investigated had dwell times of 30 days or less, compared to 28% in 2017. This may be due to an increase in financially motivated compromises such as ransomware, which tend to have an immediate impact on targeted organizations—but are detected immediately as well. GLOBAL DWELL TIME DISTRIBUTION EMEA APAC GLOBAL AMERICAS 101 76 175 2016 99 99 106 172 498 78 71 177 204 DWELL TIME (DAYS) 0-7 201-300 8-14 15-30 31-45 46-60 61-75 76-90 91-150 151-200 901-1000 301-400 401-500 501-600 601-700 2000+ 701-800 801-900 1000-2000 20 15 10 5 0 15% 7% 9% 7% 7% 10% 6% 6% 7% 3% 1% 4% 2% 1% 0 1% 7% 4% 2% INVESTIGATIONS IN 2018 (PERCENTAGE) INCIDENT RESPONSE CLIENTS (PERCENTAGE) 11% HEALTH EDUCATION FINANCE FINANCE HEALTH EDUCATION 13% 18% TOP 3 RETARGETED INDUSTRIES 20 15 10 5 0 PERCENTAGE BREACH NOTIFICATION SOURCES Since 2015, organizations have gotten better at discovering compromises on their own, as opposed to being notified by external sources. 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0 2011 2012 2013 2014 2015 2016 2017 2018 EXTERNAL INTERNAL 94% 63% 67% 69% 53% 47% 38% 41% 6% 37% 33% 31% 47% 53% 62% 59% DATE NAME: DECEMBER 19, 2018 NAME: APT40 ORIGIN OR SPONSORING NATION: CHINA SOUTHEAST ASIA PRIMARY INDUSTRY TARGETS AVIATION CHEMICALS DEFENSE EDUCATION PRIMARY REGIONAL TARGET SOUTHEAST ASIA GOVERNMENT HIGH-TECH MARITIME RESEARCH APT40 1298234298263 9874293847293 8472938472938 4729384729387 429837429834 7293847293568 420394820394 802936293874 9238742938792 834738472938 4729384798738 3872384798729 APT39 DATE NAME: DECEMBER 12, 2018 NAME: APT39 ORIGIN OR SPONSORING NATION: IRAN MIDDLE EAST IRAN PRIMARY INDUSTRY TARGETS HIGH-TECH TELECOMMUNICATIONS TRANSPORTATION TRAVEL PRIMARY REGIONAL TARGET MIDDLE EAST CHINA 3 4 2 7 3 8 9 4 7 2 3 0 9 4 8 3 0 2 9 3 8 4 3 4 2 7 3 8 9 4 7 2 3 0 9 4 8 3 0 2 9 38 34 27389 4723 0 9 4 83 0 2938 4 3 4 2738 9 4 72 3 0 9 4 8 3 0 2 9 3 8 4 3 4 2 7 3 8 9 4 7 2 3 0 9 4 8 3 0 2 9 38 4 3 4 2 7 3 8 9 4 7 2 3 0 9 4 8 3 0 2 9 3 8 4 APT38 DATE NAME: OCTOBER 2, 2018 NAME: APT38 ORIGIN OR SPONSORING NATION: NORTH KOREA NORTH KOREA INTER-BANK FINANCIAL SYSTEMS FINANCIAL INSTITUTIONS PRIMARY INDUSTRY TARGETS PRIMARY REGIONAL TARGET ECONOMICALLY DEVELOPING REGIONS APT37 DATE NAME: FEBRUARY 19, 2018 NAME: APT37 ORIGIN OR SPONSORING NATION: NORTH KOREA MIDDLE EAST NORTH KOREA HEALTH CARE ENTITIES ELECTRONICS MANUFACTURING PRIMARY INDUSTRY TARGETS AUTOMOTIVE CHEMICALS AEROSPACE PRIMARY REGIONAL TARGET JAPAN MIDDLE EAST SOUTH KOREA VIETNAM SOUTH KOREA JAPAN JAPAN ECONOMICALLY DEVELOPING REGIONS © 2019 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. F-EXT-IG-US-EN-000187-01 1 We define “retargeted customers” as FireEye managed detection and response customers who were previously Mandiant incident response clients and were targets of one significant attack in the past 19 months by the same or similarly motivated attack group. Download the full M-Trends 2019 report > M-TRENDS 2019 A FIREEYE MANDIANT SPECIAL REPORT

Upload: others

Post on 24-Sep-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: M-Trends 2019 Infographic Part 1 - FireEye · 12/19/2018  · GLOBAL AMERICAS EMEA APAC DWELL TIME Organizations are getting better at detecting breaches quickly. Worldwide, median

NEW APT GROUPS In 2018, FireEye promoted four attackers from previously tracked TEMP groups to advanced persistent threat (APT) groups.

ONCE A TARGET,ALWAYS A TARGET

In 2018, the number of retargeted customers continued to climb.1 If you’ve been breached once, you’re much more likely to be targeted again and su�er another breach.

100

80

60

40

20

0

RETARGETED INCIDENT RESPONSE CLIENTS BY REGION

2017

56%

44%47%

91%

2018

64% 63%57%

78%

EMEA APACGLOBAL AMERICAS

DWELL TIME Organizations are getting better at detecting breaches quickly. Worldwide, median dwell times have decreased significantly, from 416 days in 2011 to just 78 days in 2018.

While median dwell times have decreased globally and in the Americas, dwell times increased in APAC and EMEA, where security teams are still uncovering historical attacks.

GLOBAL MEDIAN DWELL TIME

600

500

400

300

200

100

020182017

YEARS

DWEL

L TI

ME

(DAY

S)

Dwell time is the number of days an attacker is present on a victim network, from first evidence of compromise to detection.

In 2018, 31% of the compromises we investigated had dwell times of 30 days or less, compared to 28% in 2017. This may be due to an increase in financially motivated compromises such as ransomware, which tend to have an immediate impact on targeted organizations—but are detected immediately as well.

GLOBAL DWELL TIME DISTRIBUTION

EMEA APACGLOBAL AMERICAS

10176

175

2016

99 99106

172

498

78 71

177204

DWELL TIME (DAYS)

0-7

201-3

008-

1415

-30

31-4

5

46-60

61-75

76-9

0

91-150

151-2

00

901-1000

301-4

00

401-500

501-6

00

601-700

2000+

701-8

00

801-9

00

1000-2

000

20

15

10

5

0

15%

7%

9%7% 7%

10%

6% 6%7%

3%1%

4%

2% 1%0 1%

7%

4%

2%

INVE

STIG

ATIO

NS IN

201

8 (P

ERCE

NTAG

E)IN

CIDE

NT R

ESPO

NSE

CLIE

NTS

(PER

CENT

AGE)

11%

HEALTH EDUCATIONFINANCE

FINANCE HEALTH EDUCATION

13%

18%

TOP 3 RETARGETED INDUSTRIES

20

15

10

5

0

PERC

ENTA

GE

BREACH NOTIFICATION SOURCES

Since 2015, organizations have gotten better at discovering compromises on their own, as opposed to being notified by external sources.

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

02011 2012 2013 2014 2015 2016 2017 2018

EXTERNAL INTERNAL

94%

63%67% 69%

53%

47%

38%41%

6%

37%33% 31%

47%

53%

62%59%

DATE NAME: DECEMBER 19, 2018NAME: APT40 ORIGIN OR SPONSORING NATION: CHINA

SOUTHEAST ASIA

PRIMARY INDUSTRY TARGETS

AVIATION

CHEMICALS

DEFENSEEDUCATION

PRIMARY REGIONAL TARGET

SOUTHEAST ASIA GOVERNMENT

HIGH-TECH

MARITIMERESEARCH

APT40

12982342982639874293847293847293847293847293847293874298374298347293847293568420394820394802936293874923874293879283473847293847293847987383872384798729APT39

DATE NAME: DECEMBER 12, 2018NAME: APT39 ORIGIN OR SPONSORING NATION: IRAN

MIDDLE EAST

IRAN

PRIMARY INDUSTRY TARGETS

HIGH-TECH

TELECOMMUNICATIONS

TRANSPORTATIONTRAVEL

PRIMARY REGIONAL TARGET

MIDDLE EAST

CHINA

3427

3894

7230

9483

0293

84

34273

89472309483029384

34273894723094830293843427389472309483029384

342738947230948302938434273894723094

83029384

APT38

DATE NAME: OCTOBER 2, 2018NAME: APT38 ORIGIN OR SPONSORING NATION: NORTH KOREA

NORTH KOREA

INTER-BANK FINANCIAL SYSTEMS

FINANCIAL INSTITUTIONS

PRIMARY INDUSTRY TARGETSPRIMARY REGIONAL TARGET

ECONOMICALLY DEVELOPING REGIONS

APT37

DATE NAME: FEBRUARY 19, 2018NAME: APT37 ORIGIN OR SPONSORING NATION: NORTH KOREA

MIDDLE EAST

NORTH KOREA

HEALTH CARE ENTITIES

ELECTRONICS

MANUFACTURING

PRIMARY INDUSTRY TARGETS

AUTOMOTIVE

CHEMICALS

AEROSPACE

PRIMARY REGIONAL TARGET

JAPAN

MIDDLE EAST

SOUTH KOREAVIETNAM

SOUTH KOREA

JAPAN

JAPAN

ECONOMICALLY DEVELOPING REGIONS

© 2019 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. F-EXT-IG-US-EN-000187-01

1 We define “retargeted customers” as FireEye managed detection and response customers who were previously Mandiant incident response clients and were targets of one significant attack in the past 19 months by the same or similarly motivated attack group.

Download the full M-Trends 2019 report >

M-TRENDS 2019A FIREEYE MANDIANT SPECIAL REPORT