Mandiant, the leader in dynamic cyber defense and incident response, releases the 2022 M-Trends findings on the cyber threat landscape. This is an annual report that provides up-to-date data and insights from the cyber frontline.
The 2022 report covers the study period from October 1, 2020 to December 31, 2021. It shows that significant advances have been made in threat detection and response. But attackers are innovating and adapting to achieve their goals.
Dwell time of the attackers drops to three weeks
According to the M-Trends 2022 report, the global average length of stay fell from 24 days in 2020 to 21 days the following year. This is the average number of days an attacker is around a victim before being detected. APAC saw the largest decrease in average length of stay, falling from 76 days in 2020 to just 21 days in 2021. Average length of stay also fell in EMEA, to 48 days in 2021, compared to 66 days in the previous year. In North, Central and South America, the average length of stay remained constant at 17 days.
Comparing the way threats were detected across regions, the report found that in EMEA and APAC, the majority of intruders (62 percent and 76 percent, respectively) were identified by external third parties. This represents a trend reversal from 2020. In the Americas, detection by source remained constant, with organizations self-detecting the majority of attacks (60 percent).
According to the report, the key factors behind the shorter average dwell time are likely improved threat visibility and response by organizations, and the prevalence of ransomware. Ransomware has a significantly lower average dwell time than other types of attacks.
Increased espionage activity by China
Mandiant extends its extensive knowledge of threats by investigating on the front lines. The specialists also have access to criminal underground forums, use telemetry data and rely on their own research methods and data sets, which are analyzed by more than 300 threat intelligence experts in 26 countries. As a result of intelligence gathering and analysis, Mandiant's experts observed more than 1.100 new hacker groups during this year's M-Trends investigation period. Mandiant also tracked 733 new malware families, 86 percent of which were not publicly available. According to the report, this continues the trend that new malware families are developed very discreetly and deliberately only spread to a limited extent or used in a targeted manner.
A realignment and restructuring of China's cyberespionage operations is also noted in the 2022 M-Trends. These go hand in hand with the implementation of the 14th Chinese five-year plan in 2021. The report warns that the national-level priorities contained in the plan "point to an imminent increase in Chinese activities aimed at investing in intellectual property or other strategically important economic factors, as well as defense industrial products and other "dual-use products" in the coming years “Invade technologies that offer commercial as well as military uses.”
Strengthening of the security structure
Mandiant stays true to its promise of helping organizations protect themselves from cyber threats and instill confidence in their cyber preparedness. To support this mission, Mandiant shares risk mitigation tips in the M-Trends report, including mitigating common misconfigurations when using on-premises Active Directory, certificate services, virtualization platforms, and cloud-based infrastructure. The report also highlights considerations to support proactive security programs and reaffirms the importance of long-term security initiatives such as asset management, log retention policies, and vulnerability and patch management.
To further support community and industry efforts, Mandiant continuously maps its findings to the MITER ATT&CK framework. In 2021, another 300+ client techniques could be assigned to the framework. The M-Trends report indicates that organizations should prioritize what security measures they implement. The basis is the probability of using certain techniques during an attack. According to the report, organizations are better able to make intelligent security decisions by examining the relevance and frequency of use of certain techniques during recent attacks.
More insights from the M-Trends 2022 report
- Infection vector: For the second year in a row, security vulnerabilities were the most frequently identified infection vector. In fact, 37 percent of the incidents Mandiant responded to during the reporting period began with the exploitation of a security vulnerability. In contrast, phishing accounted for just 11 percent. Supply chain compromise increased dramatically, from less than 1 percent in 2020 to 17 percent in 2021.
- Affected industries: Commercial and professional services and finance were the top targets for attackers (14 percent each), followed by healthcare (11 percent), retail and hospitality (10 percent), and technology and government (9 percent each).
- New Complex Blackmail and Ransomware TTPs: Mandiant has observed that multifaceted blackmail and ransomware attackers are employing new tactics, techniques and procedures (TTPs) to quickly and efficiently deploy ransomware into corporate environments. The widespread use of virtualization infrastructure in enterprise environments has made it a prime target for ransomware attackers.
M-Trends 2022 Report Methodology: The data reported in M-Trends 2022 is based on Mandiant investigations of targeted attack activity conducted between October 1, 2020 and December 31, 2021. The information obtained has been sanitized to protect the identities of the targets and their data.
More at Mandiant.com
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.