M-Trends 2023: Cybersecurity Insights From the Frontlines
Mandiant
Written by: Jurgen Kutscher
We are excited today to launch M-Trends 2023, our comprehensive report from the frontlines of incident response that provides metrics on the types of attacks we’re seeing, what industries are being targeted, and how defenders are responding; insights into the latest attacker tactics, techniques, and procedures; and guidance and best practices on how everyone in an organization—from senior leaders to practitioners—should be responding to these threats.
This year’s M-Trends report covers our investigations from Jan. 1, 2022, to Dec. 31, 2022. During that time we have seen just how blurry the lines between the cyber realm and the real world have become; notably in relation to the conflict in Ukraine, where attackers are attempting to cause disruption of critical infrastructure while also trying to influence the narrative. We are seeing a similar convergence of the geopolitical and cyber space with North Korea nexus threat actors targeting cryptocurrency for monetary gains to support the regime.
Another common trend across multiple articles featured in M-Trends 2023 is increasing attacker aggression and boldness. Attackers are showing willingness to eschew the traditional cyber rules of engagement, to bully and threaten and get very personal with targets, and to show up to places in person to enable initial access. Organizations across the globe need to be thinking about how to protect their employees from these much more personal threats. Our red team case study article highlights how organizations can test their defenses, including against different social engineering techniques.
M-Trends 2023 contains all of the metrics, insights, and guidance you have come to expect, and here are just some of the highlights:
- Median dwell time: Global median dwell time is now down to 16 days from 21 in our previous report, meaning attacks are being detected more quickly than ever before. Part of this is good work by defenders, but ransomware and other factors are also driving this number down.
- Detection by source: For the first time since 2019, globally, organizations are being notified of compromises more by external sources than by internal teams. This shift is partly driven by the extensive work we’re doing in Ukraine. One key thing to note here is that compromises identified internally have a lower dwell time, so organizations should be encouraged to continue their own internal security efforts.
- Initial infection vector: Globally, exploits and phishing were used in more than half of the intrusions we investigated. Regionally, attackers are using what works best for that location: exploits in the Americas, phishing in EMEA, and prior compromise in APAC. Additionally, attackers leveraged exploits against perimeter devices at a higher frequency.
- Shifting motivations: The large majority of our investigations involve attackers motivated by money or espionage; however, a growing number of our engagements involve attackers who are more motivated by notoriety and bragging rights. Many of these investigations still involved extortion, data theft, financial loss, and reputational damage, but financial gain wasn’t necessarily the motivating factor.
These are just some of our frontline observations included in M-Trends 2023. Beyond the aforementioned conflict in Ukraine, and North Korea’s evolving financial operations, our red team case study demonstrates the challenges of securing hybrid on-premise and cloud networks, we dive into some of the threats and vulnerabilities covered by the Mandiant Campaigns and Global Events Team, and we discuss our only attacker graduation of 2022, APT42, an Iranian-sponsored espionage group.
For over a decade, the mission of M-Trends has always been the same: to arm security professionals with insights from the frontlines of the latest, constantly evolving cyber attacks, and to provide actionable learnings to improve organizations’ security postures.
Read M-Trends 2023 right now, and register today for our webinars to get a closer look from experts about the data and insights in this year’s report. Executives and other senior leaders should read our M-Trends 2023 Executive Summary and our Transform with Google Cloud blog post for more high-level summaries and takeaways to discuss with your CISOs. And listen to our M-Trends 2023 podcast for a conversation between some of the Mandiant experts responsible for writing the report.