Clear progress is being made in how companies are acting on cybersecurity threats, yet attacks are becoming increasingly sophisticated. This was one of the key take-aways from the newly-released M-Trends 2023 report by Mandiant Inc., now part of Google Cloud.
According to the report, the global median dwell time, which is calculated as the median number of days an attacker is present in a target’s environment before being detected, continues to drop year-over-year down to 16 days in 2022. This is the shortest median global dwell time on record since publication of the reports began, with a median dwell time of 21 days in 2021.
“M-Trends 2023 makes it clear that, while our industry is getting better at cyber security, we are combating ever evolving and increasingly sophisticated adversaries. Several trends we saw in 2021 continued in 2022, such as an increasing number of new malware families as well as rising cyber espionage from nation-state-backed actors,” said Jurgen Kutscher, VP, Mandiant Consulting at Google Cloud on the findings.
“As a result, organizations must remain diligent and continue to enhance their cyber security posture with modern cyber defense capabilities. Ongoing validation of cyber resilience against these latest threats and testing of overall response capabilities are equally critical,” he added.
Detecting threats and external notifications
When comparing how threats were detected, Mandiant observed a general increase in the number of organisations that were alerted by an external entity of historic or ongoing compromise. Organisations headquartered in the Americas were notified by an external entity in 55% of incidents, compared to 40% of incidents last year. This is the highest percentage of external notifications the Americas has seen over the past six years. Similarly, organisations in Europe, the Middle East and Africa (EMEA) were alerted of an intrusion by an external entity in 74% of investigations in 2022 compared to 62% in 2021.
Stuart McKenzie, Head of Mandiant Consulting EMEA at Google Cloud, said: “Our latest M-Trends report shows dwell time has decreased for another consecutive year. We look at the median number of days an attacker sits in a target’s environment before being detected. In EMEA this is now less than three weeks, compared to 48 days in the previous year, so an improvement of 58% year-on-year.”
He added: “While this shows clear progress in cyber security capabilities on the part of defenders, we’re also seeing threat actors being increasingly brazen. It’s important that defences aren’t static and organisations are running continuous testing programmes to maintain a strong security posture. As ever, practice makes perfect – one of the best ways to stay prepared is to keep defending against cyber-attacks simulated by a red team. By continuously testing defences against likely, real-world scenarios, an organisation can quickly uncover vulnerabilities and focus on the right things to work on.”
Ransomware investigations drop
Mandiant experts noted a decrease in the percentage of their global investigations involving ransomware between 2021 and 2022. In 2022, 18% of investigations involved ransomware compared to 23% in 2021. This represents the smallest percentage of Mandiant investigations related to ransomware since prior to 2020.
In addition, the firm identified extensive cyber espionage and information operations leading up to and since Russia’s invasion of Ukraine on February 24, 2022. In line with previous years, the most common malware family identified by Mandiant in investigations was BEACON, a multi-function backdoor. In 2022, BEACON was identified in 15% of all intrusions investigated by Mandiant and remains by far the most seen in investigations across regions. It has been used by a wide variety of threat groups tracked by Mandiant including nation state-backed threat groups attributed to China, Russia and Iran, as well as financial threat groups and over 700 UNC groups. This ubiquity is likely due to the common availability of BEACON combined with the malware’s high customizability and ease of use, according to the report.
Charles Carmakal, CTO, Mandiant Consulting at Google Cloud added: “Mandiant has investigated several intrusions carried out by newer adversaries that are becoming increasingly savvy and effective. They leverage data from underground cybercrime markets, conduct convincing social engineering schemes over voice calls and text messages, and even attempt to bribe employees to obtain access to networks. These groups pose a significant risk to organizations, even those with robust security programs, as these techniques are challenging to defend against. As organizations continue to build their security teams, infrastructure, and capabilities, protecting against these threat actors should be part of their design goals.”
