Jump to Content
Threat Intelligence

M-Trends 2024: Our View from the Frontlines

April 23, 2024
Jurgen Kutscher


Attackers are taking greater strides to evade detection. This is one of the running themes in our latest release: M-Trends 2024. This edition of our annual report continues our tradition of providing relevant attacker and defender metrics, and insights into the latest attacker tactics, techniques and procedures, along with guidance and best practices on how organizations and defenders should be responding to threats.

This year’s M-Trends report covers Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023 and December 31, 2023. During that time, many of our observations demonstrate a more concerted effort by attackers to evade detection, and remain undetected on systems for longer periods of time:

  • Increased targeting of edge devices, and platforms that traditionally lack endpoint detection and response solutions.

  • A more than 50% growth in zero-day usage over the same reporting period in 2022, both by espionage groups as well as financially-motivated attackers.

  • More “living off the land,” or use of legitimate, pre-installed tools and software within an environment.

Despite the increased focus on evasion by attackers, we are pleased to report that defenders are generally continuing to improve at detecting threats. Dwell time represents the period an attacker is on a system from compromise to detection, and in 2023 the global median dwell time is now 10 days, down from 16 days in 2022. While various factors (such as ransomware) help drive down dwell time, it’s still a big win for defenders. We can’t let up, however. Mandiant red teams need only five to seven days on average to achieve their objectives, so organizations must remain vigilant. Other M-Trends 2024 metrics include:

  • 54% of organizations first learned of a compromise from an external source (down from 63% in 2022), while 46% first identified evidence of a compromise internally.

  • Our engagements most frequently occurred at financial services organizations (17.3%), business and professional services (13.3%), high tech (12.4%), retail and hospitality (8.6%), healthcare (8.1%), and government (8.1%).

  • The most common initial infection vectors were exploits (38%), phishing (17%), prior compromise (15%), and stolen credentials (10%). 

Additional topics covered in detail in M-Trends 2024 include Chinese espionage operations targeting the visibility gap, the evolution of phishing amid shifting security controls, the use of adversary-in-the-middle to overcome multi-factor authentication, cloud intrusion trends, and the role of artificial intelligence in red and purple team engagements. 

With the release of M-Trends 2024, we hope to arm security professionals with insights from the frontlines of the latest, constantly evolving cyber attacks, and to provide actionable learnings to improve organizations’ security postures.

Read M-Trends 2024 now, and register today for our webinar series to get a closer look from experts about the data and insights in this year’s report. M-Trends 2024: Executive Edition is also available to read now, featuring a high-level overview of each section, along with key takeaways. Finally, listen to our M-Trends 2024 podcast to hear more perspectives on the report.

Posted in