Mandiant Shares Threat Intelligence from 2022 Cyber Incident Investigations
The Google-owned cybersecurity firm Mandiant has released its M-Trends 2023 report. The report provides insights into the rapidly evolving cyber threat landscape and can help network defenders better protect their systems and data from malicious actors. The data for the report came from Mandiant’s investigations and remediation of cyberattacks worldwide, including some of the most high-impact attacks in the past 12 months. The data suggests that organizations have managed to strengthen their defenses; however, cybercriminals have been conducting increasingly sophisticated attacks and in many cases have managed to stay one step ahead.
One of the key findings from this year’s report is malicious actors are spending far less time in victims’ environments, with 2022 seeing another year-over-year drop in dwell time from 21 days in 2021 to just 16 days, which is the shortest average dwell time in any of the 14 years that Mandiant has been producing its M-Trends reports. Victims have even less time to detect a compromise and they are already struggling to identify these intrusions. In the Americas, 55% of incidents Mandiant investigated saw the victim notified about a compromise by an external third party, up from 40% in 2021. Mandiant notes that this is the highest percentage of external notifications in the past 6 years.
The investigations revealed increasing numbers of malware families in 2022, which continues a trend observed in 2021. Mandiant started tracking 588 new malware families in 2022 of which backdoors were the most common malware type (34%) followed by downloaders (14%), droppers (11%), ransomware (7%), and launchers (5%), with the BEACON backdoor the most commonly detected malware family.
While malware families increased, ransomware attacks declined. In 2021, 23% of Mandiant’s investigations involved ransomware. In 2022 the percentage fell to 18%. While Mandiant cannot be certain about the reason for the fall in attacks, the researchers suggest it is likely a combination of factors including changes in the operating environment and the break up of large ransomware groups, the war in Ukraine, more effective disruption efforts by law enforcement, and organizations getting better at detecting ransomware.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The most common initial infection vector in the incidents Mandiant responded to was exploits of vulnerabilities in software and operating systems, which accounted for 32% of incidents, down from 37% in 2021. Phishing was the second most common initial access vector, accounting for 22% of intrusions, up from 12% in 2021.
Mandiant identified an increase in the use of information stealers and credential purchasing, and there was an increase in cyberattacks involving data theft, which occurred in 40% of incidents. Mandiant also observed an increase in destructive cyberattacks in Ukraine and a notable increase in attacks by hackers in the Democratic People’s Republic of Korea targeting cryptocurrency, which have proven to be incredibly lucrative.
