Complex Made Simple

Annual FireEye Mandiant M-Trends report reveals global statistics and insights

Global median dwell time drops below one month, detection capabilities improve, but ransomware surges on

Global median dwell time went from over 1 year in 2011 to just 24 days in 2020 Experts observed a return of organizations independently detecting most of their own incidents Organizations in the retail and hospitality industry were targeted more heavily in 2020

FireEye, Inc., the intelligence-led security company, today released the FireEye® Mandiant® M-Trends® 2021 report. Now in its 12th year, M-Trends brings together the best of cybersecurity expertise and threat intelligence with statistics and insights gleaned from recent frontline Mandiant investigations around the globe.

This year’s report outlines critical details on trending attacker techniques and malware, the proliferation of multifaceted extortion and ransomware, preparing for expected UNC2452 / SUNBURST copycat threat actors, growing insider threats, plus pandemic and industry targeting trends. Additional findings are summarized below.

Global median dwell time drops below one month for the first time

Over the past decade, Mandiant has observed a trending reduction in global median dwell time (defined as the duration between the start of a cyber intrusion and when it is identified). This measure went from over one year in 2011 to just 24 days in 2020 – that’s more than twice as quickly identified in comparison to last year’s report with a median dwell time of 56 days. Mandiant attributes this reduction to continued development and improvement of organizational detection and response capabilities, along with the surge of multifaceted extortion and ransomware intrusions.

Median dwell time trends varied by region. The Americas continued to decrease. The Americas median dwell time for incidents discovered internally improved the most – dropping from 32 days down to only nine days – marking the first time a region has dipped into single digits. Conversely, APAC and EMEA experienced an overall increase in median dwell time, which Mandiant experts believe to be influenced by a greater number of intrusions with dwell times extending beyond three years, as compared to the Americas.

Internal detections on the rise

While last year’s report noted a drop in internal detections of intrusions compared to the previous year, Mandiant experts observed a return of organizations independently detecting most of their own incidents. Internal incident detection rose to 59% in 2020 – a 12-point increase compared to 2019. This return to organizations detecting the majority of intrusions within their environments is in line with the overall trend observed over the last five years.

Notably, internal detection was on the rise across all regions year-over-year. Organizations located in the Americas led the internal detection trendline at 61%, followed by EMEA and APAC closely aligned at 53% and 52%, respectively. In comparison, APAC and EMEA organizations received more notifications of compromise from external entities, versus organizations in the Americas.

Attackers narrow sights on retail & hospitality and healthcare

The top five most targeted industries, in order, are business and professional services, retail and hospitality, financial, healthcare, and high technology.

Mandiant experts observed that organizations in the retail and hospitality industry were targeted more heavily in 2020 – coming in as the second most targeted industry compared to 11th in last year’s report. Healthcare also rose significantly, becoming the third most targeted industry in 2020, compared to eighth in last year’s report. This increased focus by threat actors can most likely be explained by the vital role the healthcare sector played during the global pandemic.

While business and professional services have been in the top five most targeted industries since 2016, we believe the sudden boost in business services necessary for remote working has made this industry the most targeted in 2020 by cybercriminals and state-sponsored threat actors.” – Jurgen Kutscher, Executive Vice President, Service Delivery, Mandiant

Charles Carmakal, Senior Vice President and Chief Technology Officer, Mandiant said: “ Direct financial gain was the likely motive for at least 36% of the intrusions we investigated. Data theft and reselling of unauthorized access to victim organizations remain high as multifaceted extortion and ransomware actors have trended away from purely opportunistic campaigns in favor of targeting organizations that are more likely to pay large extortion demands.”  

He added: “We have continued to see a ‘wolf in sheep’s clothing’ trend where threat groups and cybercriminals rely on publicly available tools introduced in different stages of a compromise. The usage of public or commercially available tools, often used by red teams and penetration testers, allows the threat actor to blend in with security testing. It also makes attribution more complex.“