Businesses detect cyberattacks faster despite increasingly sophisticated adversaries

Detection times and ransomware attacks are down but adversaries remain sophisticated, adaptable, persistent, and creative.

Global organizations are improving their attack detection capabilities despite facing increasingly sophisticated, persistent, and creative adversaries. The Mandiant M-Trends 2023 report, now in its fourteenth year, revealed that the global median dwell time – calculated as the median number of days an attacker is present in a target’s environment before detection – dropped to 16 days in 2022. This is the shortest median global dwell time from all M-Trends reporting periods.

The reduction in median dwell time reflects the key role partnerships and the exchange of information play in building a more resilient cybersecurity ecosystem, according to Mandiant. That said, several findings from this year’s report demonstrate that adversaries are progressively more sophisticated, persistent, and confident, as evidenced by hundreds of new malware families, extensive cyber espionage campaigns by nation-state-backed actors, and novel aggressive, personal tactics that ignore the traditional cyber rules of engagement.

The metrics reported in M-Trends 2023 are based on Mandiant investigations of targeted attack activity conducted between January 1, 2022, and December 31, 2022.

Attack dwell times drop, ransomware attacks decrease

M-Trends 2023 cited a notable improvement in global median dwell time where an external entity was the notification source in 2022, down 32% compared to 2021. This indicates that organizations may be getting better at responding to external notifications. External notifications allowed for organizations to initiate response to intrusions within a median of 19 days of the initial compromise, the report said. However, defenders continue to detect events faster than external entities notify, the report found.

The global median dwell time for internally detected incidents in 2022 was 13 days, five fever than the previous year. Global dwell time distribution continues to improve too – 42% of intrusions were detected within a week or less in 2022, compared to 37% in 2021.

The median dwell time for intrusions investigated in the Americas decreased by a week in 2022 to 10 days, compared to 17 days in 2021, while it increased from 21 days in 2021 to 33 days in 2022 in APAC. Organizations in EMEA countries detected incidents 70% faster in 2022 compared to 2021, down from 48 days to 20 days.

A particularly interesting finding from the latest M-Trends report is a decrease in the percentage of global intrusions involving ransomware between 2021 and 2022. This dropped from 23% to 18%. While there’s no evidence of a single cause for the decrease in ransomware-related attacks observed, ongoing government and law enforcement disruption efforts targeting ransomware services and individuals, actors adjusting their initial access operations to a world where macros are often disabled by default, and organizations detecting, preventing, or recovering from ransomware quicker are likely contributors, commented Sandra Joyce, VP, Mandiant Intelligence at Google Cloud.

Cyber espionage, new malware families rife in 2022

Despite overall dwell time reduction and decreased ransomware attacks, Mandiant’s findings show that organizations continue to face sophisticated, evolving, determined, and increasingly brazen malicious actors.

Mandiant identified extensive cyber espionage and information operations leading up to and since Russia’s invasion of Ukraine in February last year, observing more destructive cyberattacks in Ukraine in the first four months of 2022 than in the previous eight years.

Most notably, Mandiant saw activity by Russian actors UNC2589 and APT28, but also observed Chinese, Belarusian, and Iranian threat groups targeting Ukraine. The intrusions by Chinese and Iranian groups were aimed at gathering intelligence for their governments, while the Belarusian group both collected intelligence and used the intrusions to enable information operations.

Mandiant began tracking 588 new malware families in 2022, equating to roughly 49 new families per month. This exceeds the 45 new families detected per month in 2021 and is reflective of threat actors expanding their toolsets. Of the newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%), and launchers (5%). The most common malware family identified by Mandiant was BEACON, a multi-function backdoor used by a variety of threat actors including nation-state-backed threat groups attributed to China, Russia, and Iran, as well as financial threat groups.

North Korean actors adopt cryptocurrency focus

There were notable shifts by North Korean threat actors identified in 2022, with DPRK operators showing greater interest in stealing (and using) cryptocurrency, expanding activity into new parts of the digital asset ecosystem to mitigate the economic impact of sanctions. This activity was coupled with campaigns and operations of a traditional espionage nature, Mandiant said.

Actors such as APT38, TEMP.Hermit, and UNC1130 demonstrated a continued willingness to explore new ways to exploit the growing cryptocurrency ecosystem, with successful campaigns providing funding for cyber activity and supporting the regime. North Korean activity moved away from the targeting of fewer, larger organizations to focus on larger numbers of smaller entities for modest financial gains, while some DPRK-linked efforts even involved gaining employment at cryptocurrency-focused organizations.

Mandiant investigated a series of high-impact intrusions that demonstrated notable deviations from common threat actor behaviors. Although relatively less technical and sophisticated than government-sponsored and criminal threat-driven campaigns, these incidents underscored the threat posed to organizations by persistent adversaries willing to eschew the unspoken rules of engagement, the firm said. Mandiant observed threat actors leverage data available in underground cybercrime markets, clever social engineering schemes, and bribes to carry out intrusions and account takeovers. Some actors even demonstrated a willingness to get personal with their targets, bullying and threatening many of them. UNC3661 and UNC3944 went to extreme lengths to harass and, in some cases, intimidate members of the organizations they compromised, Mandiant said,.

Exploits most leveraged infection vector, government most targeted sector

For the third year in a row, exploits remain the most leveraged initial infection vector, used by adversaries at 32%. Phishing was the second most used vector, representing 22% of intrusions, while adversaries leveraged stolen credentials more often in 2022 than 2021 (14% compared to 9%). Data theft was prioritized in 40% of instructions in 2022, up from 29% in 2021, while financial gain dropped from 30% to 26%.

Government was the most targeted sector in 2022, accounting for 25% of Mandiant investigations compared to just 9% in the previous year. Mandiant linked this increase to its investigative support of cyberthreat activity that targeted Ukraine. The next four most targeted industries from 2022 are consistent with what Mandiant observed in 2021, with business and professional services (14%), financial (125), high tech (9%), and healthcare industries (9%) favored by adversaries.