In January 2012, the European Union (EU) began the long process of creating a framework for data protection reform. One of the proposals associated with these reforms was the legislation was titled the General Data Protection Regulation (GDPR). The reforms were agreed upon in December 2015, and GDPR came into full effect on May 25, 2018. This often left companies and other organizations scurrying to ensure they were compliant with the law which probably left a bad taste in many a CEO’s or board of director’s mouths. It has been a year and a half since the law, which boosts user privacy, was adopted and it seems to be having a positive effect on cybersecurity according to FireEye’s lasts report.
One of the key findings of FireEye Mandiant M-Trends 2020 Report is that due to GDPR the amount of time hackers spend inside the networks of compromised organizations before being uncovered has massively declined across Europe.
Analysis of data revealed that the median dwell time from the start of an intrusion to it being identified has fallen from 177 days last year to 54 days now. This amounted to a 70% decrease over the previous period. According to the researchers, this sharp decline seen across Europe was directly due to GDPR. Researchers noted that,
“EMEA [Europe, the Middle East, and Africa] has seen a marked reduction in dwell times. In M-Trends 2019, we suggested that a steep rise in median dwell time was likely linked with organizations putting more emphasis on GDPR and increasing focus on security which may have revealed historic compromises. EMEA statistics are now generally in line with the global averages, which reflect the improving security posture of organizations and highlight the ongoing challenges organizations face from sophisticated threat actors. While significant improvements have been made, attackers still go undetected in target environments for far too long, remaining stealthy and harder to spot as they pursue their goals.”
GDPR requires organizations that discover a data breach to report the breach to their relevant authority within 72 hours after the initial discovery. Failure to do this or be found to be non-compliant can result in a significant fine. British Airways was on the receiving end of such a fine, with the airline been fine a record 183 million GBP for a data breach which occurred in 2018. This has led to organizations across Europe to increase their focus on cybersecurity, leading to intrusions being uncovered much quicker than before. It is important to note that GDPR empowers authorities to fine a maximum of 4% of a company’s, who is found to be in violation of the law, turnover.
British Airways was only fined 1.5% of their turnover. With such a strong motivating force for companies in Europe and that do business with Europe to do their utmost in securing data, it is easier to see why the law has had a positive effect on dwell times. It is true that the legislation only applies to the European Union but the effects of the law have been felt globally as businesses that actively do business in Europe or transfer data to the union have to abide by the provisions set out by the law. This seems to have also contributed to the decrease in the global dwell time, which is down from 78 days to 56 days.
Not All Good News
While the positive effect of GDPR on dwell times, which is defined by FireEye as the time an attacker is present in a victim’s network before discovery, other less positive factors also led to contributing towards the overall decline. Researchers noted that certain malware attacks naturally have shorter dwell times. Ransomware and crypto miners are examples of disruptive attacks with shorter dwell times. Attacks by state-sponsored actors often exhibit far longer dwell times than the average as their main aim is to remain on targeted networks for as long as possible to steal as much information as possible.
The FireEye report dedicates a portion of the 60-page report to the discovery and analysis of Advanced Persistent Threat (APT) group APT41. The new addition to the APT family, added in 2019, was previously tracked as the TEMP group and believe to be for carrying out Chinese state-sponsored cyber espionage campaigns. TEMP started as a financially motivated group in 2012 carrying out operations against targets in the video game industry, a stark contrast to the normal activity of state-sponsored groups. However, researchers noted,
“This stands in contrast to the state-sponsored goals that likely drive the group’s targeting of higher education, telecommunications, travel services, and news/media firms. The attacks appear to have been carried out as part of a surveillance operation. The group’s most recent activity included targeting call record information and SMS data…APT41 is unique among China-based actors in that it leverages non-public malware typically reserved for espionage, in operations that appear to fall outside the scope of state-sponsored missions. The group’s mix of financial and state-sponsored motivations is remarkable because this type of activity is unusual among Chinese state-sponsored threat groups.”
Researchers also pointed out that APT groups and financially motivated attacks exploit the failure by organizations to enforce multi-factor authentication (MFA). This is one of the most common ways threat actors gain access to the network according to the report. MFA is an important security tool as it adds an extra barrier that can prevent attackers from doing damage, and also alerts the security team that something might be wrong before the problem escalates.