Global Median Dwell Time (defined as the duration between the start of a cyber intrusion and when it is identified) has been reducing over the past decade. For the first time, it has dropped below one month. Today, organizations are independently detecting most of their incidents. In fact, internal incident detection rose to 59% in 2020 – a 12-point increase. The top five most targeted industries, in order, are Business and Professional Services, Retail and Hospitality, Financial, Health care, and High Technology. These findings are revealed in the FireEye® Mandiant® M-Trends® 2021 report. Now in its 12th year, M-Trends brings together the best of cybersecurity expertise and threat intelligence with statistics and insights gleaned from recent frontline Mandiant investigations around the globe.
FireEye is an intelligence-led security company. Mandiant, a part of FireEye, brings together the world’s leading threat intelligence and frontline expertise with continuous security validation to arm organizations with the tools needed to increase security effectiveness and reduce organizational risk.
This year’s report outlines critical details on trending attacker techniques and malware, the proliferation of multifaceted extortion and ransomware, preparing for expected UNC2452 / SUNBURST copycat threat actors, growing insider threats, plus pandemic and industry targeting trends.
“UNC2452, the threat actor responsible for the SolarWinds supply chain attack, reminds us that a highly-disciplined and patient actor cannot be underestimated. This actor’s attention paid to operational security, counter forensics, and even counterintelligence set it apart from its peers. Defense against this actor will not be easy, but it is not impossible. We have learned a great deal about UNC2452 in recent months, and we believe that intelligence will be our advantage in future encounters,” said Sandra Joyce, Executive Vice President, Global Threat Intelligence, Mandiant.
“This year’s M-Trends report identified the three most frequently used initial vectors of compromise as exploits (29%), phishing emails (23%), and stolen credentials or brute-force (19%). While phishing remains a preferred vector by cyber threat actors, we saw more actors leveraging exploits to compromise victims. The increase in exploit usage should remind organizations to have a more robust plan for patching product vulnerabilities. One of the challenges here is identifying what sources and information are available to make better risk-based decisions when prioritizing what systems and applications to patch now and what to patch at a later stage based on current knowledge about exploitation and targeting by threat actors,” said Jurgen Kutscher, Executive Vice President, Service Delivery, Mandiant.
Global Median Dwell Time drops below one month for the first time
Over the past decade, Mandiant has observed a trending reduction in global median dwell time. This measure went from over one year in 2011 to just 24 days in 2020 – that’s more than twice as quickly identified in comparison to last year’s report with a median dwell time of 56 days. Mandiant attributes this reduction to continued development and improvement of organizational detection and response capabilities, along with the surge of multifaceted extortion and ransomware intrusions.
Median dwell time trends varied by region. The Americas continued to decrease. The Americas median dwell time for incidents discovered internally improved the most – dropping from 32 days down to only nine days – marking the first time a region has dipped into single digits. Conversely, APAC and EMEA experienced an overall increase in median dwell time, which Mandiant experts believe to be influenced by a greater number of intrusions with dwell times extending beyond three years, as compared to the Americas.
“Organizations in APAC took a median of 76 days in 2020 to learn of intrusions into their networks. Ransomware and extortion crews need much less time than that to find critical data, encrypt it, and then extort the victim with threats to make that critical data public. With modern multifaceted extortion, breach disclosure is now in the control of the attacker, not the victim,” said Steve Ledzian, Vice President and Chief Technology Officer, APAC, Mandiant. “In striving to be cyber resilient, organizations must continue to endeavor to have a capability to detect and respond to inevitable prevention failures.”
Ledzian said the challenge here is the detection and response technologies required to notice these intrusions – they need to be piloted by cybersecurity analysts who can interpret and investigate the data they return. The lack of available cyber talent in the market compounds this problem making it a top challenge for organizations to address. He observes that Managed Detection & Response (MDR) services are gaining in popularity as a result of these challenges and are providing a quick fix for organizations who don’t want to build out this expertise in-house.
Internal Detections on the Rise
While last year’s report noted a drop in internal detections of intrusions compared to the previous year, Mandiant experts observed a return of organizations independently detecting most of their incidents. Internal incident detection rose to 59% in 2020 – a 12-point increase compared to 2019. This return to organizations detecting the majority of intrusions within their environments is in line with the overall trend observed over the last five years.
Notably, internal detection was on the rise across all regions year-over-year. Organizations located in the Americas led the internal detection trendline at 61%, followed by EMEA and APAC closely aligned at 53% and 52%, respectively. In comparison, APAC and EMEA organizations received more notifications of compromise from external entities, versus North American organizations.
Yihao Lim, Principal Intelligence Advisor, APAC, Mandiant said, “In 2020, APAC organizations most commonly received notification of compromise from external entities, compared to the detection intrusions themselves. Looking ahead to 2021, developing in-house threat intelligence capability is imperative, so organizations can cross-reference their observations with external notifications without being over-reliant on third-party vendors.”
Attackers Narrow Sights on Retail & Hospitality and Health care
The top five most targeted industries, in order, are Business and Professional Services, Retail and Hospitality, Financial, Health care, and High Technology.
Mandiant experts observed that organizations in the Retail and Hospitality industry were targeted more heavily in 2020 – coming in as the second most targeted industry compared to 11th in last year’s report. Health care also rose significantly, becoming the third most targeted industry in 2020, compared to eighth in last year’s report. This increased focus by threat actors can most likely be explained by the vital role the healthcare sector played during the global pandemic.
View the full report here: https://www.fireeye.com/mtrends
 Report metrics are based on Mandiant investigations of targeted attack activity conducted between October 1, 2019 through September 30, 2020.