Mandiant unveils M-Trends 2023 report, delivering critical threat intelligence directly from the frontlines

Mandiant Inc., now part of Google Cloud, released the findings of its M-Trends 2023 report. Now in its 14th year, this annual report provides timely data and expert analysis on the ever-evolving threat landscape based on Mandiant frontline investigations and remediations of high-impact cyber attacks worldwide. The new report reveals the progress organisations globally have made in strengthening defences against increasingly sophisticated adversaries.

"M-Trends 2023 makes it clear that, while our industry is getting better at cyber security, we are combating ever evolving and increasingly sophisticated adversaries. Several trends we saw in 2021 continued in 2022, such as an increasing number of new malware families as well as rising cyber espionage from nation-state-backed actors. As a result, organisations must remain diligent and continue to enhance their cyber security posture with modern cyber defence capabilities. Ongoing validation of cyber resilience against these latest threats and testing of overall response capabilities are equally critical," said Jurgen Kutscher, VP, Mandiant Consulting at Google Cloud.

Global Median Dwell Time Declines to Just Over Two Weeks

According to the M-Trends 2023 report, the global median dwell time – which is calculated as the median number of days an attacker is present in a target’s environment before being detected – continues to drop year-over-year down to 16 days in 2022. This is the shortest median global dwell time from all M-Trends reporting periods, with a median dwell time of 21 days in 2021.

When comparing how threats were detected, Mandiant observed a general increase in the number of organisations that were alerted by an external entity of historic or ongoing compromise. Organisations headquartered in the Americas were notified by an external entity in 55 per cent of incidents, compared to 40 per cent of incidents last year. This is the highest percentage of external notifications the Americas has seen over the past six years. Similarly, organisations in Europe, the Middle East and Africa (EMEA) were alerted of an intrusion by an external entity in 74 per cent of investigations in 2022 compared to 62 per cent in 2021.

Mandiant experts noted a decrease in the percentage of their global investigations involving ransomware between 2021 and 2022. In 2022, 18 per cent of investigations involved ransomware compared to 23 per cent in 2021. This represents the smallest percentage of Mandiant investigations related to ransomware since prior to 2020.

“While we don’t have data that suggests there is a single cause for the slight drop in ransomware-related attacks that we observed, there have been multiple shifts in the operating environment that have likely contributed to these lower figures. These factors include, but are not limited to: ongoing government and law enforcement disruption efforts targeting ransomware services and individuals, which at minimum require actors to retool or develop new partnerships; the conflict in Ukraine; actors needing to adjust their initial access operations to a world where macros may often be disabled by default, as well as organisations potentially getting better at detecting and preventing or recovering from ransomware events at faster rates," added Sandra Joyce, VP, Mandiant Intelligence at Google Cloud.

Stuart McKenzie, head of Mandiant Consulting EMEA at Google Cloud, said: "Our latest M-Trends report shows dwell time has decreased for another consecutive year. We look at the median number of days an attacker sits in a target’s environment before being detected - in EMEA this is now less than three weeks, compared to 48 days in the previous year, so an improvement of 58 per cent year-on-year."

Additional takeaways from M-Trends 2023 Report include:

Infection vector: For the third year in a row, exploits remained the most leveraged initial infection vector used by adversaries at 32 per cent. While this was a decrease from the 37 per cent of intrusions identified in 2021, exploits remained a critical tool for adversaries to use against their targets. Phishing returned as the second most utilised vector, representing 22 per cent of intrusions as compared to 12 per cent in 2021.

Target industries impacted: Response efforts for government-related organizations captured 25 per cent of all investigations, compared to nine per cent in 2021. This primarily reflects Mandiant’s investigative support of cyber threat activity which targeted Ukraine. The next four most targeted industries from 2022 are consistent with what Mandiant experts observed in 2021, with business and professional services, financial, high tech, and healthcare industries being favoured by adversaries. These industries remain attractive targets for both financially and espionage motivated actors.

Credential theft: Mandiant investigations uncovered an increased prevalence in both the use of widespread information stealer malware and credential purchasing in 2022 when compared to previous years. In many cases, investigations identified that credentials were likely stolen outside of the organisation’s environment and then used against the organisation, potentially due to reused passwords or use of personal accounts on corporate devices.

Data theft: Mandiant experts identified that in 40 per cent of intrusions in 2022, adversaries prioritised data theft. Mandiant defenders have observed threat actors attempting to steal, or successfully completing data theft operations more often in 2022 compared to previous years.

• KT Network