Connect with us

Hi, what are you looking for?


Threat Intelligence

The Battle Continues: Mandiant Report Shows Improved Detection But Persistent Adversarial Success

Mandiant’s M-Trends 2024 report shows that defenses are improving – and that may be true. But the reality remains that these same statistics demonstrate that if anything, the attackers still retain the upper hand.

Threat Intelligence Report

Mandiant’s annual analysis of adversarial attack activity – the M-Trends report –highlights some defender improvements, but shows the outlook remains challenging.

The statistics reported in the latest annual Mandiant M-Trends report are based on the company’s investigations into targeted attacks between January 1, 2023, and December 31, 2023. They reflect Mandiant’s own telemetry and do not provide globally complete or accurate statistics. Nevertheless, as implied by the title of the report, it provides an impressive method of isolating and comparing general trends in targeted attack activity.

This latest M-Trends report from Google-owned Mandiant contains good news and bad news. Good news includes a further reduction in adversarial dwell time (the period from initial compromise to detection to intrusion), suggesting that defenders are getting better at detecting malicious intruders. 

For 2023, the global median dwell time dropped from 16 days in 2022 to 10 days in 2023. Mandiant announced, “the M-Trends 2024 report reveals a significant improvement in global cybersecurity posture.” But the associated bad news is that this dwell time is still too long – Mandiant’s own red teams typically achieve their objectives in five to seven days. By these figures, attackers are still likely to succeed before they are detected.

Many of the report’s figures, including the dwell time, are skewed by the effects of ransomware. Ransomware attacks are successful, still increasing, and generally rapid in progress. The effect is to reduce the median dwell time, but by successful rather than unsuccessful attacks.

In general, the number of all incidents decreases with the length of dwell time. Through 2023, 43.3% of investigated attacks had a dwell time of one week or less; 22.3% had a dwell time of six months or less, and 6.0% had a dwell time of five years or less.

These figures probably reflect the difference between populous common criminals seeking a quick payout (such as ransomware), and more elite nation-state attackers seeking persistence for espionage. “A nation-state will look to maintain a stealthy persistence over a number of months, or years, or decades, if possible,” confirmed Stuart McKenzie, MD, Mandiant Consulting EMEA.

The report uses a second statistic to gauge defenders’ success rates: internal detection versus external notification. If an intrusion is discovered through external sources, the adversary was likely successful. If it is discovered through internal detection, it implies that security controls are succeeding, and the victim has a chance to prevent the attackers from achieving their objectives.

Advertisement. Scroll to continue reading.

Here, the data is primarily encouraging. External notification has dropped from 63% of incidents in 2022 to 54% in 2023 – suggesting that defenses are getting better at detecting adversarial intrusions. It may even be better than these median figures suggest, again influenced by ransomware. Seventy percent of all ransomware cases were discovered from external sources (implying a successful attack); meaning that only 30% were detected and possibly prevented by security controls. 

If the ransomware figures (around 15% of all intrusions) are excluded from 2023, then the figures for internal detection versus external notification are 50% to 50%. Encouragingly, the external notifications on ransomware in 2023 also dropped by nine points from those of 2022.

The optimistic spin from Mandiant’s statistics is that defenses are improving – and that may be true. But the reality remains that these same statistics demonstrate that if anything, the attackers still retain the upper hand.

Exploits remain the primary infection vector – up from 32% in 2022 to 38% in 2023. The most frequently exploited vulnerabilities were CVE-2023-34362 (SQLi) in MOVEit Transfer, CVE-2022-21587 (unauthenticated upload) in Oracle E-Business Suite, and CVE-2023-2868 (command injection) in Barracuda ESG. Mandiant notes that vectors one and three relate to edge devices, and links this to a growing trend for attackers to increase stealth by reducing their visibility to defenders.

Phishing remains second, but down from 22% to 17%. Mandiant separately within the report talks about the improving gen-AI technology. While it can and must be used in defense, it will undoubtedly increase the scale and quality of future phishing attacks.

The third infection vector is prior compromise, where an attacker gains but then sells access to another criminal, growing from 12% to 15%. Mandiant believes this increase may be related to the expanding ransomware ecosphere, with ransomware affiliates purchasing readymade access from access brokers.

Stolen credentials were the fourth most common infection vector, although down from 14% to 10%. Despite this decrease, Mandiant warns that the prevalence and success of infostealers is likely to maintain the threat. 

Brute force attacks were fifth, at 5%. Mandiant believes that the proper implementation of MFA has slowed the success rate of brute force, but also warns that attackers are now using adversary in the middle (AitM) techniques to defeat MFA.

McKenzie highlights a general trend of improving cybersecurity, but notes that the report also shows the changing trends in attack techniques. “Phishing used to be the most common method to compromise organizations,” he said. “Now we see attackers exploiting vulnerabilities.” 

The use of zero-day exploits is also increasing. “Criminals are using zero-days,” he continued. “That level of sophistication had previously been the playground of nation-states. Now we’re beginning to see cyber criminals able to really push into a level of sophistication we previously thought belonged solely to the most sophisticated nation-states.”

He also highlighted the speed at which attackers adapt to new circumstances (the adoption of AitM to defeat MFA is one example). “We cannot rest on our laurels and contemplate how well we are doing. We must continuously look at ways to improve our current defenses. For example, attackers now know that EDR is very good – so, now they look to live in places where EDR isn’t necessarily prevalent. They look at edge devices, such as routers or switches, and they try to stay on those devices because they’ll be less likely to be detected. It’s important for organizations to understand their whole state and their level of protection, all the time. Because the attackers are incredibly sophisticated.”

Related: Threat Indicators Show 2024 Is Already Promising to be Worse Than 2023

Related: Mandiant Details How Its X Account Was Hacked

Related: Mandiant Intelligence Chief Raises Alarm Over China Hackers in US Critical Infrastructure

Related: Mandiant 2023 M-Trends Report Provides Factual Analysis of Emerging Threat Trends

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.


Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Threat Intelligence

A new research report discusses the five most exploited vulnerabilities of 2022, and the five key risks that security teams should consider.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...