Threat detection has improved, but adversaries have adapted
While significant progress has been made in threat detection and response, Mandiant continues to see adversaries innovate and adapt to achieve their mission in targeted environments.
This is according to the findings of Mandiant M-Trends 2022, an annual report that provides data and insights based on Mandiant frontline investigations and remediations of high impact cyber attacks worldwide.
According to the M-Trends 2022 report, the global median dwell time, which is calculated as the median number of days an attacker is present in a target's environment before being detected, decreased from 24 days in 2020 to 21 days in 2021.
Digging deeper, the report notes that the APAC region saw the biggest decline in median dwell time, dropping to just 21 days in 2021 compared to 76 days in 2020.
When comparing how threats were detected across different regions, the report found that in EMEA and APAC, the majority of intrusions in 2021 were identified by external third parties (62% and 76%, respectively), a reversal of what was observed in 2020.
Organisations improved threat visibility and response as well as the pervasiveness of ransomware, which has a significantly lower median dwell time than non-ransomware intrusions, are likely driving factors behind reduced median dwell time, per the report.
As a result of information gathering and analysis, Mandiant experts began tracking 1,100+ new threat groups during this M-Trends reporting period.
Mandiant also began tracking 733 new malware families, of which 86% were not publicly available, continuing the trend of availability of new malware families being restricted or likely privately developed, according to the report.
To support companies in their cyber defence readiness, Mandiant provides risk reduction tips throughout the M-Trends report, including mitigating common misconfigurations when using on-premises Active Directory, certificate services, virtualisation platforms and cloud-based infrastructure.
The report also reinforces considerations to support proactive security programs, reiterating the importance of long-standing security initiatives such as asset management, log retention policies, and vulnerability and patching management.
To further support community and industry efforts, Mandiant continuously maps its findings to the MITRE ATT&CK framework, mapping an additional 300+ Mandiant techniques to the framework in 2021.
The M-Trends report notes that organisations should prioritise which security measures to implement based on the likelihood of specific techniques being used during an intrusion. A
ccording to the report, by examining the prevalence of technique usage during recent intrusions, organisations are better equipped to make intelligent security decisions.
Additional takeaways from M-Trends 2022 Report include:
Infection Vector: For the second year in a row, exploits remained the most frequently identified initial infection vector. In fact, of the incidents that Mandiant responded to during the reporting period, 37% started with the exploitation of a security vulnerability, as opposed to phishing, which accounted for only 11%. Supply chain compromises increased dramatically, from less than 1% in 2020 to 17% in 2021.
Target industries impacted: Business and professional services and financial were the top two industries targeted by adversaries (14%, respectively), followed by healthcare (11%), retail and hospitality (10%) and tech and government (both at 9%).
New multifaceted extortion and ransomware TTPs: Mandiant observed multifaceted extortion and ransomware attackers using new tactics, techniques and procedures (TTPs) to deploy ransomware rapidly and efficiently throughout business environments, noting that the pervasive usage of virtualisation infrastructure in corporate environments has made it a prime target for ransomware attackers.
Mandiant executive vice president service delivery Jurgen Kutscher says, “This year's M-Trends report reveals fresh insight into how threat actors are evolving and using new techniques to gain access into target environments. While exploits continue to gain traction and remain the most frequently identified infection vector, the report notes a significant increase in supply chain attacks.
"Conversely, there was a noticeable drop in phishing this year, reflecting organisations improved awareness and ability to better detect and block these attempts. In light of the continued increased use of exploits as an initial compromise vector, organisations need to maintain focus on executing on security fundamentals such as asset, risk and patch management.”
Mandiant executive vice president Mandiant Intelligence Sandra Joyce says, "Several trends from previous years continued into 2021. Mandiant encountered more threat groups than any previous period, to include newly discovered groups. In a parallel trend, in this period we began tracking more new malware families than ever before.
"Overall, this speaks to a threat landscape that continues to trend upward in volume and threat diversity. We also continue to witness financial gain be a primary motivation for observed attackers, as case studies this year on FIN12 and FIN13 highlight.
"If we pivot to the defender perspective, we see several improvements despite an incredibly challenging threat landscape. As one example, this M-Trends report has the lowest global media dwell time on record. Additionally, APAC and EMEA showed the largest improvements in several threat detection categories compared to previous years."