The median time an attacker stays with their victim continues to decline globally, but a significant number of new threat groups and malware families have emerged.
Mandiant, Inc. (NASDAQ: MNDT) today announced the findings of the Mandiant® M-Trends® 2022 report, the annual report that provides important data and insights based on Mandiant’s on-the-ground analysis and investigations across the planet, as well as the information collected during the remediation phases of these incidents. The 2022 report – which uses data collected between October 1, 2020 and December 31, 2021 – reveals that while significant progress has been made in detecting and responding to threats, Mandiant continues to see adversaries innovate and adapt to accomplish their mission in the environments of their target.
Median global dwell time drops to three weeks
According to the M-Trends 2022 report, the global median dwell time – which is the number of days an attacker is present in a target’s environment before being detected – fell from 24 days in 2020 to 21. days in 2021. Digging deeper, the report notes that the APAC region saw the largest drop in median dwell time, dropping from 76 days in 2020 to just 21 days in 2021. Median dwell time also decreased in the EMEA region, from 66 days the previous year to 48 days in 2021. In the Americas, the median dwell time remained stable at 17 days.
Comparing how threats were detected across different regions, the report found that in EMEA and APAC, the majority of intrusions in 2021 were identified by external third parties (62% and 76%, respectively), i.e. a reversal of what was seen in 2020. In America, source detection remained constant, with most intrusions detected internally by organizations themselves (60%).
Improved threat visibility and response by organizations, as well as the pervasiveness of ransomware – which has a significantly lower median dwell time than non-ransomware intrusions – are likely driving factors, according to the report. which explain the reduction in the median duration of presence.
New threats emerge as China ramps up spying activities
Mandiant continues to expand its extensive threat knowledge base through field investigations, analysis of public reports, information sharing, and other proprietary research methods. Through extensive intelligence gathering and analysis, Mandiant experts began tracking over 1,100 new threat groups during the M-Trends reporting period. Mandiant also began tracking 733 new malware families, 86% of which were not public.
The M-Trends 2022 report also notes a realignment and retooling of China’s cyber espionage operations to align with the implementation of its 14th five-year plan in 2021. The report warns that national priorities included in the plan “signal an upcoming increase in the number of Chinese actors carrying out intrusion attempts against intellectual property or other strategically important economic concerns, as well as against defense industry products and other dual-use technologies over the next few years.
Reinforcement of the security posture
Mandiant is committed to helping all organizations stay safe from cyber threats and build confidence in their cyber defense readiness. To support this mission, Mandiant provides risk mitigation guidance throughout the report, including mitigating common misconfigurations when using on-premises Active Directory, certificate services, virtualization platforms, and software. cloud-based infrastructure. The report also reinforces considerations to support proactive security programs, reiterating the importance of longstanding security initiatives such as asset management, log retention policies, and vulnerability and patch management.
To further support community and industry efforts, Mandiant is continually matching its findings to the MITER ATT&CK framework, matching over 300 additional Mandiant techniques to the framework in 2021. The report says organizations should prioritize security to be implemented according to the probability of using specific techniques during an intrusion. According to the report, “by examining the prevalence of use of the techniques during recent intrusions, organizations are better equipped to make intelligent security decisions. »
Other takeaways from the M-Trends 2022 report:
· Vector of infection: For the second consecutive year, exploits remain the most frequently identified initial infection vector. In fact, of the incidents Mandiant responded to during the reporting period, 37% began with the exploitation of a security vulnerability, as opposed to phishing, which accounted for just 11%. Supply chain breaches have increased dramatically, from less than 1% in 2020 to 17% in 2021.
· Target Industries Affected : Business and professional services and financial services are the top two industries targeted by adversaries (14%, respectively), followed by healthcare (11%), retail and hospitality (10%) and technology and government (both 9%).
· New Multifaceted Extortion and Ransomware Tactics : Mandiant has observed that multifaceted extortionists and ransomware authors are using new tactics, techniques and procedures (TTPs) to deploy ransomware quickly and effectively in business environments, noting that the widespread use of the virtualization in enterprise environments has made it a prime target for ransomware authors.
“This year’s M-Trends report reveals new insight into how threat actors are evolving and using new techniques to gain access to target environments. As exploits continue to gain traction and remain the most frequently identified infection vector, the report notes a significant increase in supply chain attacks. Conversely, phishing has seen a significant decline this year, reflecting organizations’ increased awareness and ability to better detect and block such attempts. With the increasing use of exploits as an initial vector of compromise, organizations must continue to focus on executing security fundamentals, such as asset, risk, and patch management. » – Jurgen Kutscher, Executive Vice President, Service Delivery, Mandiant
“Multifaceted extortion and ransomware continue to pose huge challenges for organizations of all sizes and across industries, with this year’s report noting a specific increase in attacks targeting virtualization infrastructure. The key to resilience lies in preparation. Developing a solid preparedness plan and a well-documented and tested recovery process can help organizations weather an attack and get back to normal operation quickly. – Jurgen Kutscher, Executive Vice President, Service Delivery, Mandiant
“Chinese cyber espionage activity has increased significantly in recent years, with Asia and the United States remaining the most targeted regions. This year’s report notes a particular interest in government organizations as well as the use of the same malware families by multiple cyber espionage actors, likely due to the sharing of resources and tools by disparate groups. Additionally, with the implementation of China’s 14th Five-Year Plan in 2021, we expect to see cyber espionage activity continue to accelerate in support of China’s national security and economic interests in the coming years. . » – Charles Carmakal, senior vice president and chief technology officer, Mandiant
“Several trends from previous years continued in 2021. Mandiant encountered more threat groups than in any previous period, to include newly discovered groups. At the same time, during this period, we started tracking more new malware families than ever before. Overall, this speaks to a threat landscape that continues to grow in volume and diversity. We also find that financial gain remains the primary motivation of observed attackers, as highlighted in this year’s case studies on FIN12 and FIN13. If we move on to the Defenders perspective, we see several improvements despite an incredibly challenging threat landscape. For example, this M-Trends report shows the lowest media exposure time ever. Additionally, the APAC and EMEA regions recorded the greatest improvements in several threat detection categories compared to previous years. » – Sandra Joyce, Executive Vice President, Mandiant Intelligence, Mandiant
M-Trends 2022 methodology:
The metrics presented in M-Trends 2022 are based on Mandiant’s investigations of targeted attack activity conducted between October 1, 2020 and December 31, 2021. The information collected has been processed in a way to protect the identity of the targets and of their data.
M-Trends 2022 Report: https://www.mandiant.com/m-trends
· Blog: https://www.mandiant.com/resources/m-trends-2022
· M-Trends 2022 Virtual Summit: https://www.brighttalk.com/summit/5120-m-trends-virtual-summit/
· Defender’s Advantage Podcast: https://www.mandiant.com/resources/podcasts/defenders-advantage/m-trends-2022
About Mandiant, Inc.
Since 2004, Mandiant® has been a trusted partner for security-conscious organizations. Effective security relies on the right mix of expertise, intelligence and adaptive technology, and the Mandiant Advantage SaaS platform scales decades of frontline experience and cutting-edge threat intelligence. industry to deliver a range of dynamic cyber defense solutions. Mandiant’s approach helps organizations develop more effective and efficient cybersecurity programs and gives them confidence in their ability to defend against and respond to cyber threats.
Join the discussion. Follow us on Twitter, LinkedIn, Facebook and YouTube.