Mandiant Unveils M-Trends 2023 Report, Delivering Critical Threat Intelligence Directly from the Frontlines

Dubai, United Arab Emirates, May 2^nd, 2023 – Mandiant Inc., now part of Google Cloud, today released the findings of its M-Trends 2023 report. Now in its 14th year, this annual report provides timely data and expert analysis on the ever-evolving threat landscape based on Mandiant frontline investigations and remediations of high-impact cyber attacks worldwide. The new report reveals the progress organizations globally have made in strengthening defenses against increasingly sophisticated adversaries.

Global Median Dwell Time Declines to Just Over Two Weeks

According to the M-Trends 2023 report, the global median dwell time – which is calculated as the median number of days an attacker is present in a target’s environment before being detected – continues to drop year-over-year down to 16 days in 2022. This is the shortest median global dwell time from all M-Trends reporting periods, with a median dwell time of 21 days in 2021.

Mandiant experts noted a decrease in the percentage of their global investigations involving ransomware between 2021 and 2022. In 2022, 18% of investigations involved ransomware compared to 23% in 2021. This represents the smallest percentage of Mandiant investigations related to ransomware since prior to 2020.

Actioning Intelligence

The goal of M-Trends is to arm security professionals with insights on the latest attacker activity as seen directly on the frontlines, backed by actionable intelligence to improve organizations’ security postures within an evolving threat landscape. To meet this objective, Mandiant provides insight into some of the most prolific threat actors and their expanding tactics, techniques and procedures.

To further support this objective, Mandiant mapped an additional 150 Mandiant techniques to the updated MITRE ATT&CK® framework, bringing the total to 2,300+ Mandiant techniques and subsequent findings associated with the ATT&CK framework. Organizations should prioritize which security measures to implement based on the likelihood of a specific technique being used during an intrusion.

Additional takeaways from M-Trends 2023 Report include:

• Infection vector: For the third year in a row, exploits remained the most leveraged initial infection vector used by adversaries at 32%. While this was a decrease from the 37% of intrusions identified in 2021, exploits remained a critical tool for adversaries to use against their targets. Phishing returned as the second most utilized vector, representing 22% of intrusions as compared to 12% in 2021.
• Credential theft: Mandiant investigations uncovered an increased prevalence in both the use of widespread information stealer malware and credential purchasing in 2022 when compared to previous years. In many cases, investigations identified that credentials were likely stolen outside of the organization’s environment and then used against the organization, potentially due to reused passwords or use of personal accounts on corporate devices.

Data theft: Mandiant experts identified that in 40% of intrusions in 2022, adversaries prioritized data theft. Mandiant defenders have observed threat actors attempting to steal, or successfully completing data theft operations more often in 2022 compared to previous years.