Attivo Networks Blogs

Key Detection Takeaways from the M-Trends Report. Hint: It’s not getting better.

Written by: Carolyn Crandall, Chief Deception Officer and CMO

Last week, we looked at the latest Verizon Data Breach Investigation Report, which outlined high-level trends across thousands of breaches and cybersecurity incidences. The report showed that despite organizations’ best efforts to get more proactive about detection and response, enterprises are still overly focused and reliant on their perimeter defenses.

Today, we take a look at the M-Trends report from FireEye and Mandiant, which is based on a thorough investigation of the most successful cyberattacks of the past year. The report explores the latest and greatest trends that define today’s threat landscape.

Key takeaways:

  • Global median dwell time from compromise to discovery is up from 99 days in 2016 to 101 days in 2017, and only about 50 percent of alerts get investigated (at best).
  • According to Mandiant’s data, 49 percent ofcustomers that had experienced at least one significant attack were successfully attacked again within one year. Once attackers have a foothold in the network, it can be challenging to completely remove and eradicate any presence from the network. Attackers often install persistence mechanisms and backdoors to ensure they can maintain access if one of their compromised systems gets cleaned. With a long dwell time, they can install as many such failsafes as they need.
  • There has been a significant uptick in activity by Iranian threat actors, despite much of their espionage activity going unnoticed. Cyberwarfare is the new battleground. We will likely see state-sponsored attacks continue to leverage the vast resources that they have at their disposal.
  • Over the next five years, a growing deficit in information security personnel is expected to dramatically exacerbate the current skill gap – which is already considerable. To reduce the impact of this skill shortage, organizations are increasingly considering solutions that are easy to deploy and manage without extensive security expertise. Organizations must also seek ways to remove siloes within their security stack to gain improved efficiencies.


While dwell time is down from 10 years ago, the slight uptick from 99 days in 2016 to 101 days in 2017 is particularly disconcerting, given cybersecurity investment levels and available innnovation. Cybercriminals are using the latest in technology to advance their attacks and exploit human weakness. The threat landscape is also poised to become increasingly more sophisticated as processing power increases and technologies like containers become more widely adopted. Organizations are going to need to rethink their strategies to stay ahead of tomorrows attackers. Simply investing more money in the same way, is not a well positioned strategy to yield different results. This reminds me of the Albert Einstein quote on insanity,“Doing the same thing over and over again and expecting different results.”

It is also quite troubling that nearly half of surveyed organizations who were breached experienced a subsequent attack the following year. This underscores how challenging it can be to successfully eliminate vulnerabilities, even after one believes the attack has been stopped and removed. Additionally, this data illustrates that hackers are becoming adept at leaving doors unlocked for easy reentry later. It has become critical to find solutions that not only detect early and reduce dwell time but also expedites and simplifies remediation. Many organizations still struggle with having a comprehensive and consistent incident response plan. Skills and workforce shortages often compound the issue, resulting in measures to following up on alerts, ensuring complete threat eradication and remediation efforts to fall short of what is needed.

As a result, organizations, regardless of size or industry, are looking to incorporate detection and incident response tools into their security stack. Many are also looking at these tools, not as siloed products but as a security control stack for an active defense. Adding tools and techniques around an Active Defense framework can be a force-multiplier in benefits around one’s security strategies. Getting to an Active Defense starts by adding early detection as a security control. The Deception-based detection technology has grown exponentially in the last 2 years as an efficient and accurate control for threat visibility and reducing dwell time. As part of a successful active defense strategy, deception will utilize decoys, bait, and lures that appear identical to production assets to dramatically increase the difficulty of executing an attack and inevitably cause an attacker to err and reveal their presence. Unique to other technologies is the fidelity of the alert. Whether your security team swims in an ocean of alerts or is small and just doesn’t possess the manpower to address the volume, deception plays a critical role in making alerts actionable. Every alert is engagement based, meaning an attacker has used planted credentials or had even the lightest touch of engagement with a decoy. When an alert triggers it will in-depth threat intelligence and forensic information required to shut down the attack. In the case of Attivo Networks, native integrations will also automate incident response blocking, isolation, and even threat hunting to better ensure an attacker has been eradicated from the network. The added functionality of automated attack analysis and incident response brings additional momentum to achieving a full functioning active defense.

Deception Technology is rapidly growing at unprecendented rates and was recently recommended by Gartner as a top ten strategic tool for 2018. The Attivo ThreatDefend™ Deception and Response Platform is designed for the utmost flexibility and scalability for today’s evolving attack surface and will support user networks, data centers, cloud, and speciliazed environments like IoT, SCADA, POS, and network and telecommunications infrastructure. The solution empowers organizations with advanced deception technology designed to efficiently and accurately detect threats from any attack vector. Additionally, the platform that delivers network visibility, insight into attacker threat path vulnerabilities, in-depth attack analysis, forensic reporting, and automations that can dramatically improve an organizations incident response time. To learn more about creating an Active Defense for early detection and continuous threat management or to see how the Attivo ThreatDefend™ Deception and Response Platform can address your security needs, click here. To continue the conversation and speak with an Attivo Security Specialist, contact us here.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

five × 5 =

Ready to find out what’s lurking in your network?

Scroll to Top