Mandiant’s annual analysis of adversarial attack activity – the M-Trends report –highlights some defender improvements, but shows the outlook remains challenging.
The statistics reported in the latest annual Mandiant M-Trends report are based on the company’s investigations into targeted attacks between January 1, 2023, and December 31, 2023. They reflect Mandiant’s own telemetry and do not provide globally complete or accurate statistics. Nevertheless, as implied by the title of the report, it provides an impressive method of isolating and comparing general trends in targeted attack activity.
This latest M-Trends report from Google-owned Mandiant contains good news and bad news. Good news includes a further reduction in adversarial dwell time (the period from initial compromise to detection to intrusion), suggesting that defenders are getting better at detecting malicious intruders.
For 2023, the global median dwell time dropped from 16 days in 2022 to 10 days in 2023. Mandiant announced, “the M-Trends 2024 report reveals a significant improvement in global cybersecurity posture.” But the associated bad news is that this dwell time is still too long – Mandiant’s own red teams typically achieve their objectives in five to seven days. By these figures, attackers are still likely to succeed before they are detected.
Many of the report’s figures, including the dwell time, are skewed by the effects of ransomware. Ransomware attacks are successful, still increasing, and generally rapid in progress. The effect is to reduce the median dwell time, but by successful rather than unsuccessful attacks.
In general, the number of all incidents decreases with the length of dwell time. Through 2023, 43.3% of investigated attacks had a dwell time of one week or less; 22.3% had a dwell time of six months or less, and 6.0% had a dwell time of five years or less.
These figures probably reflect the difference between populous common criminals seeking a quick payout (such as ransomware), and more elite nation-state attackers seeking persistence for espionage. “A nation-state will look to maintain a stealthy persistence over a number of months, or years, or decades, if possible,” confirmed Stuart McKenzie, MD, Mandiant Consulting EMEA.
The report uses a second statistic to gauge defenders’ success rates: internal detection versus external notification. If an intrusion is discovered through external sources, the adversary was likely successful. If it is discovered through internal detection, it implies that security controls are succeeding, and the victim has a chance to prevent the attackers from achieving their objectives.
Here, the data is primarily encouraging. External notification has dropped from 63% of incidents in 2022 to 54% in 2023 – suggesting that defenses are getting better at detecting adversarial intrusions. It may even be better than these median figures suggest, again influenced by ransomware. Seventy percent of all ransomware cases were discovered from external sources (implying a successful attack); meaning that only 30% were detected and possibly prevented by security controls.
If the ransomware figures (around 15% of all intrusions) are excluded from 2023, then the figures for internal detection versus external notification are 50% to 50%. Encouragingly, the external notifications on ransomware in 2023 also dropped by nine points from those of 2022.
The optimistic spin from Mandiant’s statistics is that defenses are improving – and that may be true. But the reality remains that these same statistics demonstrate that if anything, the attackers still retain the upper hand.
Exploits remain the primary infection vector – up from 32% in 2022 to 38% in 2023. The most frequently exploited vulnerabilities were CVE-2023-34362 (SQLi) in MOVEit Transfer, CVE-2022-21587 (unauthenticated upload) in Oracle E-Business Suite, and CVE-2023-2868 (command injection) in Barracuda ESG. Mandiant notes that vectors one and three relate to edge devices, and links this to a growing trend for attackers to increase stealth by reducing their visibility to defenders.
Phishing remains second, but down from 22% to 17%. Mandiant separately within the report talks about the improving gen-AI technology. While it can and must be used in defense, it will undoubtedly increase the scale and quality of future phishing attacks.
The third infection vector is prior compromise, where an attacker gains but then sells access to another criminal, growing from 12% to 15%. Mandiant believes this increase may be related to the expanding ransomware ecosphere, with ransomware affiliates purchasing readymade access from access brokers.
Stolen credentials were the fourth most common infection vector, although down from 14% to 10%. Despite this decrease, Mandiant warns that the prevalence and success of infostealers is likely to maintain the threat.
Brute force attacks were fifth, at 5%. Mandiant believes that the proper implementation of MFA has slowed the success rate of brute force, but also warns that attackers are now using adversary in the middle (AitM) techniques to defeat MFA.
McKenzie highlights a general trend of improving cybersecurity, but notes that the report also shows the changing trends in attack techniques. “Phishing used to be the most common method to compromise organizations,” he said. “Now we see attackers exploiting vulnerabilities.”
The use of zero-day exploits is also increasing. “Criminals are using zero-days,” he continued. “That level of sophistication had previously been the playground of nation-states. Now we’re beginning to see cyber criminals able to really push into a level of sophistication we previously thought belonged solely to the most sophisticated nation-states.”
He also highlighted the speed at which attackers adapt to new circumstances (the adoption of AitM to defeat MFA is one example). “We cannot rest on our laurels and contemplate how well we are doing. We must continuously look at ways to improve our current defenses. For example, attackers now know that EDR is very good – so, now they look to live in places where EDR isn’t necessarily prevalent. They look at edge devices, such as routers or switches, and they try to stay on those devices because they’ll be less likely to be detected. It’s important for organizations to understand their whole state and their level of protection, all the time. Because the attackers are incredibly sophisticated.”
Related: Threat Indicators Show 2024 Is Already Promising to be Worse Than 2023
Related: Mandiant Details How Its X Account Was Hacked
Related: Mandiant Intelligence Chief Raises Alarm Over China Hackers in US Critical Infrastructure
Related: Mandiant 2023 M-Trends Report Provides Factual Analysis of Emerging Threat Trends
