Executive Perspectives

M-Trends 2019: Celebrating 10 Years of Incident Response Reporting

Today we release M-Trends 2019 and celebrate the 10th anniversary of sharing our insights from the front lines with the cyber security community. When we sat down to write the first M-Trends report ten years ago, our goal was to arm security professionals with details on the latest attacks and threats we were seeing during our engagements – information that could be of particular use to defenders. The response was fantastic, so we kept writing, always looking to bring something new to the table.

In 2011, we hit on something big – a statistic known as dwell time. It was a great measure for how the industry was progressing, and our readers looked forward to seeing it in each report. In 2011, the global median dwell time was 416 days. That means the average attacker had access to a network or system for longer than a year before they were detected.

But times have changed. The global median dwell time in 2018 is 78 days, down from 101 days in 2017. Now the average attacker is going undetected on a network or system for less than three months. The reduction in dwell time is evidence that organizations are continuing to improve their detection capabilities, but having an attacker in an environment for more than a month means there is room for improvement.

While there is plenty of good data in M-Trends 2019, the report includes a lot more than just statistics. Read the report to learn all about:

  • APT Groups: We provide details on four threat groups that we promoted to APT in 2018. APT37 and APT38 appear to be operating in support of North Korea, although are not necessarily connected. APT39 is an Iranian espionage group, and APT40 is a China-nexus espionage actor.
  • Case Studies: We show how early identification is key by discussing an incident involving attacker activity now attributed to the threat group TEMP.Demon. We also discuss an incident at a Southeast Asia-based international telecommunications company that started with an extortion email sent from the CEO’s work account by an attacker.
  • Defensive Trends: We dive into a practice we call “premediation”, which refers to the proactive implementation of security configurations and architectural enhancements that are commonly part of remediation efforts, and also discuss other common issues we observe during investigations.

There’s a lot more too, so go ahead and read the full 10th anniversary M-Trends 2019 report today. For a nostalgic look back at M-Trends through the years, check out our video retrospective. And to get even more awesome M-Trends information, register for our upcoming webinar.

Here’s to another ten years of M-Trends!