TRENDING
The global median dwell time before any
detection, external or internal, has also
decreased by more than a month – going
from 101 days in 2017 to 78 days in
2018. The same measurement was as
high as 416 days back in 2011.
• Nation-state threat actors are
continuing to evolve and change:
Through ongoing tracking of threat
actors from North Korea, Russia, China,
Iran and other countries, FireEye has
observed these actors continually
enhancing their capabilities and
changing their targets in alignment with
their political and economic agendas.
Significant investments have provided
these actors with more sophisticated
tactics, tools, and procedures, with some
becoming more aggressive, and others
better at hiding and staying persistent for
longer periods of time.
• Attackers are becoming increasingly
persistent: FireEye data provides
evidence that organisations which have
been victims of a targeted compromise
are likely to be targeted again. Global
data from 2018 found that 64% of all
FireEye managed detection and response
customers who were previously Mandiant
incident response clients were targeted
again in the past 19 months by the same
or similarly motivated attack group, up
from 56% in 2017.
• Many attack vectors used to get
to targets, including M&A activity:
Attacker activity touches countries across
the globe. Among them, FireEye observed
an increase in compromises through
phishing attacks during mergers and
acquisitions (M&A) activity. Attackers
are also targeting data in the cloud,
including cloud providers, telecoms, and
other service providers, in addition to re-
targeting past victim organisations.
We asked Mohammed Abukhater, Vice
President – MEA at FireEye, further
questions about the report.
The report says in 2018 the median
duration between the start of an
intrusion and its identification by an
internal team was 57.5 days. This
has been decreasing in recent times.
Why is this?
The dwell time usually is a sign where we
ask ‘is this organisation mature enough
24
INTELLIGENTCIO
“
SOME OF THE
COUNTRIES IN THE
GULF AREA TEND
TO HIRE LOCAL
OR NATIONAL
RESOURCES
TO KEEP THE
CONFIDENTIALITY
OF THE DATA.
to detect and contain a breach?’ I see the
decrease (in time taken to detect a breach)
as the biggest positive in our M-Trends
Report for the past year.
The other fact we need to highlight is 60%
of the breaches were discovered by internal
teams rather than external ones. There has
been a shift from 2011 year on year. You can
see there has been a big increase in terms of
detection by the internal team.
This could be related to many reasons, one is
the increase in the maturity of organisations
for different aspects; one being in terms
of process – they have enhanced their
processes in terms of handling breaches.
Another factor is the investment in talent.
More organisations tend to hire talented
resources who specialise in cybersecurity.
Some of the countries in the Gulf area tend
to hire local or national resources to keep the
confidentiality of the data and they have
invested heavily since the beginning of 2018
in training their local nationals.
Should organisations take
comfort from the fact that there
are third-party bodies detecting
data breaches?
Countries across the globe have started to
establish entities owned by the government
to look after national cybersecurity. These
are what we call the external or third-party
agencies or entities. In the past year we
have noticed countries in the Middle East, or
more specifically in the GCC, have built an
entity to manage the national cybersecurity
strategy and they managed to create
many restrictions especially for government
organisations or organisations that will
have an impact on national productivity or
national security.
This is good. I feel that this has given comfort
to organisations to see that each government
can give guidelines in how to tackle the shift
in the sophistication of cyberattacks. But if
you look to me as a cyber-specialist I don’t
think this is really something we should take
comfort from. In reality we still need third-
party agencies to help identify these attacks
www.intelligentcio.com