5 Key Takeaways From Mandiant’s 2023 Threat Report

The Google Cloud-owned incident response provider released its new M-Trends report detailing how major cyber threats, such as ransomware and data theft, evolved last year.

Cyber Defense Ups Its Game

While concerns about the threats posed by hackers remain as high as ever, cyber defense has been achieving some major wins lately, too. In the recent 3CX supply chain compromise, for instance, the attack was caught in weeks rather than months, as had been the case with the SolarWinds supply chain breach.

Cyber defense teams and technologies deserve much credit for the big strides being made against threat actors, according to Mandiant’s M-Trends threat report for 2023 that was released Tuesday. “The defenders are definitely getting a lot better at defending their perimeter,” said Jurgen Kutscher, executive vice president of services at Mandiant, in an interview with CRN. While there’s a “huge spectrum of maturity” on cyber defense between some organizations and geographies, the general trend is heading in the right direction, Kutscher said.

The analysis is the 14th annual M-Trends report from Mandiant, a well-known provider of incident response and threat intelligence services, which is now owned by Google Cloud. The report is based upon data produced by Mandiant investigations throughout 2022.

The report details how major cyber threats, such as ransomware and data theft, evolved last year, and reveals significant improvements in detection and response efforts. The findings also point to shifts in the initial intrusion methods favored by attackers — while highlighting the fact that even as cyber defense makes gains, threat actors continue to switch up their tactics.

What follows are five key takeaways from Mandiant’s 2023 M-Trends threat report.

Dwell Time Reduced

One key area where the improvements in cyber defense are evident is on “dwell time,” or the amount of time before the compromise of a system is detected. In 2022, the global median dwell time dropped to 16 days, compared to 21 days in the prior M-Trends report. It’s also down from 101 days in 2017, and 243 days a decade earlier.

While the results do vary — some regions of the world still struggle with much higher dwell times — that “should not undermine the importance and the recognition of the huge progress that has been made of reducing the dwell time,” Mandiant’s Kutscher told CRN. It’s a “very positive” sign that “organizations globally are getting better at detecting and responding to these types of incidents,” he said.

Improved efficacy from threat detection tools, such as endpoint detection and response (EDR), is one factor behind the reduction in dwell time, but the security teams themselves are also making significant progress, according to Kutscher. For example, Mandiant has noted a trend toward clients now being “more receptive” when notified about an incident that’s been detected, and ultimately following up with some form of action, he said. “Fewer notifications fall on deaf ears.”

There are other factors driving down dwell times, as well: “It’s really a combination of people, technology, processes — but also having better intelligence,” Kutscher said.

Ransomware Declines

Joining other security researchers who noted a decrease in ransomware attacks in 2022, Mandiant investigators found that fewer incidents involved ransomware last year compared to 2021. According to the new M-Trends report, 18 percent of intrusions that Mandiant investigated involved ransomware in 2022, down from 23 percent the previous year. Even with the drop, however, that’s “still a very high percentage,” Kutscher told CRN. Clearly, ransomware remains a “critical” threat, he said.

In addition to the improvement in prevention by cyber defense teams, Kutscher pointed to law enforcement intervention and Russia’s invasion of Ukraine as factors that brought disruption to cybercriminal groups last year.

In 2022, the global median dwell time for ransomware attacks increased to nine days, from five days in 2021. While attackers taking longer before deploying ransomware would seem to be a helpful development, that’s still a “short period of time to contain” a ransomware attack, Kutscher said. “If you’re a defender, nothing has really changed for you.”

Data Theft Is Up

Another possible factor in the ransomware decline in 2022 is that more threat actors shifted their tactics to purely focus on data extortion, without deploying ransomware at all, according to previously released research from CrowdStrike and SonicWall. While not directly addressing this possibility in its report, Mandiant did release findings that show an increased emphasis on data theft among attackers last year. In 40 percent of intrusions during the year, threat actors prioritized data theft, up from 29 percent in 2021, according to the Mandiant report. And in 19 percent of those intrusions — equating to 8 percent of all intrusions — attackers used the stolen data as part of its negotiations seeking a payment, Mandiant found.

In addition to data extortion, other motives for data theft include the pursuit of IP, which has especially been the case with threat actors working for China’s government, Kutscher said. “We saw China coming back very significantly with more IP theft” last year, he said.

Exploit, Phishing Activity Shifts

Mandiant also observed a shift in tactics when it came to the initial intrusion methods favored by attackers in 2022. Exploiting a vulnerability remained the most common method of initial infection, but its popularly waned a bit, falling to 32 percent of intrusions last year from 37 percent in 2021. Meanwhile, threat actors gravitated toward other intrusion methods — including phishing, which was the method used in 22 percent of initial intrusions in 2022, versus 12 percent the year before. Stolen credentials — from methods such as information stealer malware or purchasing credentials on the dark web — also saw a notable increase in use for initial intrusions in 2022, rising to 14 percent of intrusions from 9 percent the previous year.

Given that threat actors are known to “take the path of least resistance” in their attack techniques, it’s possible that more attackers have found that phishing and use of stolen credentials is easier in some cases than exploiting vulnerabilities, Kutscher told CRN. Attackers are likely to explore whether it’s “potentially easier to just buy stolen credentials on the internet — and immediately get that access — versus having to go through the steps of the exploit vector.”

Attackers Switch Things Up

Along with shifting to initial intrusion methods that might be easier to execute, attackers have also been changing up their tactics in other ways in response to improvements in cyber defense. In the perpetual “cat and mouse” game between defenders and attackers, threat actors are “not sitting idle,” Mandiant’s Kutscher told CRN. For instance, Mandiant reports that it tracked 588 new malware families in 2022, or 49 per month, compared to 45 new malware families per month in 2021.

Meanwhile, attackers also increasingly targeted infrastructure components, “where you typically don’t have your EDR solution running on them,” Kutscher said. “We saw attackers going after security appliances and also network perimeter devices, where they can install long-term access, because it is much harder for victim organizations to detect that.”

In another example, threat actors demonstrated increased sophistication in social engineering attacks, even going so far as to apply to jobs at targeted organizations in order to get hired by them and become embedded in the companies, he said. “They’re clearly pushing the envelope further.”