Annual FireEye Mandiant M-Trends Report Reveals Global Statistics and Insights From Hundreds of Diverse Intrusions

Rhea-AI Summary

FireEye, Inc. (NASDAQ: FEYE) released its 2021 Mandiant M-Trends report, highlighting a significant reduction in global median dwell time to just 24 days, a notable drop from 56 days in 2019. The report examined evolving cyber threats, with a focus on industries increasingly targeted by threat actors. Internal detection of cyber incidents improved to 59%, particularly in the Americas. Additionally, multifaceted extortion and ransomware were identified as prevalent risks. Key industries impacted included Retail, Hospitality, and Healthcare, reflecting the ongoing challenges posed by the pandemic.

Positive

• Global median dwell time dropped to 24 days from 56 days, indicating improved detection capabilities.
• Internal detections of intrusions increased to 59%, marking a 12-point rise year-over-year.

Negative

• APAC and EMEA regions experienced increased median dwell time, suggesting vulnerabilities in these areas.
• Retail and Healthcare sectors significantly targeted, indicating a shift in threat actor focus.

FireEye, Inc. (NASDAQ: FEYE), the intelligence-led security company, today released the FireEye® Mandiant® M-Trends® 2021 report. Now in its 12^th year, M-Trends brings together the best of cybersecurity expertise and threat intelligence with statistics and insights gleaned from recent frontline Mandiant investigations around the globe.¹

This year’s report outlines critical details on trending attacker techniques and malware, the proliferation of multifaceted extortion and ransomware, preparing for expected UNC2452 / SUNBURST copycat threat actors, growing insider threats, plus pandemic and industry targeting trends. Additional findings are summarized below.

Global Median Dwell Time Drops Below One Month for First Time

Over the past decade, Mandiant has observed a trending reduction in global median dwell time (defined as the duration between the start of a cyber intrusion and when it is identified). This measure went from over one year in 2011 to just 24 days in 2020 – that’s more than twice as quickly identified in comparison to last year’s report with a median dwell time of 56 days. Mandiant attributes this reduction to continued development and improvement of organizational detection and response capabilities, along with the surge of multifaceted extortion and ransomware intrusions.

Median dwell time trends varied by region. The Americas continued to decrease. The Americas median dwell time for incidents discovered internally improved the most – dropping from 32 days down to only nine days – marking the first time a region has dipped into single digits. Conversely, APAC and EMEA experienced an overall increase in median dwell time, which Mandiant experts believe to be influenced by a greater number of intrusions with dwell times extending beyond three years, as compared to the Americas.

Internal Detections on the Rise

While last year’s report noted a drop in internal detections of intrusions compared to the previous year, Mandiant experts observed a return of organizations independently detecting most of their own incidents. Internal incident detection rose to 59% in 2020 – a 12-point increase compared to 2019. This return to organizations detecting the majority of intrusions within their environments is in line with the overall trend observed over the last five years.

Notably, internal detection was on the rise across all regions year-over-year. Organizations located in the Americas led the internal detection trendline at 61%, followed by EMEA and APAC closely aligned at 53% and 52%, respectively. In comparison, APAC and EMEA organizations received more notifications of compromise from external entities, versus organizations in the Americas.

Attackers Narrow Sights on Retail & Hospitality and Healthcare

The top five most targeted industries, in order, are Business and Professional Services, Retail and Hospitality, Financial, Healthcare and High Technology.

Mandiant experts observed that organizations in the Retail and Hospitality industry were targeted more heavily in 2020 – coming in as the second most targeted industry compared to 11^th in last year’s report. Healthcare also rose significantly, becoming the third most targeted industry in 2020, compared to eighth in last year’s report. This increased focus by threat actors can most likely be explained by the vital role the healthcare sector played during the global pandemic.

Executive Quotes

“While organizations continue to improve their ability to discover compromises within their environments, containing adversaries today comes with unique challenges. The consequences of a global pandemic forced companies to rethink how they operate and move to a remote workforce. This change resulted in VPN infrastructure, video conferencing, collaboration and knowledge sharing platforms becoming business-critical systems and changing the attack surface of organizations. In many cases, regular employees became responsible for connectivity and cybersecurity. While Business and Professional Services has been in the top five most targeted industries since 2016, we believe the sudden boost in business services necessary for remote working has made this industry the most targeted in 2020 by cybercriminals and state-sponsored threat actors.” – Jurgen Kutscher, Executive Vice President, Service Delivery, Mandiant

“Multifaceted extortion and ransomware are the most prevalent threats to organizations. In this year’s report, direct financial gain was the likely motive for at least 36% of the intrusions we investigated. Data theft and reselling of unauthorized access to victim organizations remain high as multifaceted extortion and ransomware actors have trended away from purely opportunistic campaigns in favor of targeting organizations that are more likely to pay large extortion demands. Given this surge, organizations must take proactive action to mitigate the potential impact.” – Charles Carmakal, Senior Vice President and Chief Technology Officer, Mandiant

“UNC2452, the threat actor responsible for the SolarWinds supply chain attack, reminds us that a highly-disciplined and patient actor cannot be underestimated. This actor’s attention paid to operational security, counter forensics, and even counterintelligence set it apart from its peers. Defense against this actor will not be easy, but it is not impossible. We have learned a great deal about UNC2452 in recent months, and we believe that intelligence will be our advantage in future encounters.” – Sandra Joyce, Executive Vice President, Global Threat Intelligence, Mandiant

“This year’s M-Trends report identified the three most frequently used initial vectors of compromise as exploits (29%), phishing emails (23%) and stolen credentials or brute-force (19%). While phishing remains a preferred vector by cyber threat actors, we saw more actors leveraging exploits to compromise victims. The increase in exploit usage should remind organizations to have a more robust plan for patching product vulnerabilities. One of the challenges here is identifying what sources and information are available to make better risk-based decisions when prioritizing what systems and applications to patch now and what to patch at a later stage based on current knowledge about exploitation and targeting by threat actors.” – Jurgen Kutscher, Executive Vice President, Service Delivery, Mandiant

“We have continued to see a ‘wolf in sheep’s clothing’ trend where threat groups and cyber criminals rely on publicly available tools introduced in different stages of a compromise. The usage of public or commercially available tools, often used by red teams and penetration testers, allows the threat actor to blend in with security testing. It also makes attribution more complex. In this year’s report, 24% of the intrusions analyzed involved BEACON usage, which is a commercial tool, part of the Cobalt Strike software platform, commonly used for pentesting network environments. We have observed BEACON being used by a wide range of named threat groups, including APT19, APT32, APT40, APT41, FIN6, FIN7, FIN9 and FIN11, as well as nearly 300 uncategorized clusters of threat activity.” – Charles Carmakal, Senior Vice President and Chief Technology Officer, Mandiant

Report Resources

• Full report: https://www.fireeye.com/mtrends
• M-Trends 2021 First Look webinar on April 13: Hear firsthand analysis from Mandiant experts about this year’s report numbers, ransomware trends, and activity they continue to see:
  • https://www.brighttalk.com/webcast/7451/472530
• M-Trends 2021 By The Numbers webinar on April 15: A deep dive into this year’s report numbers along with mitigation solutions organizations should be inclined to implement:
  • https://www.brighttalk.com/webcast/7451/476778

About Mandiant

Mandiant, a part of FireEye, brings together the world’s leading threat intelligence and frontline expertise with continuous security validation to arm organizations with the tools needed to increase security effectiveness and reduce organizational risk.

About FireEye, Inc.

FireEye is the intelligence-led security company. Working as a seamless, scalable extension of customer security operations, FireEye offers a single platform that blends innovative security technologies, nation-state grade threat intelligence, and world-renowned Mandiant consulting. With this approach, FireEye eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent, and respond to cyber attacks. FireEye has over 9,900 customers across 103 countries, including more than 50 percent of the Forbes Global 2000.

© 2021 FireEye, Inc. All rights reserved. FireEye, Mandiant and M-Trends are registered trademarks or trademarks of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

¹ Report metrics are based on Mandiant investigations of targeted attack activity conducted between October 1, 2019 through September 30, 2020.

View source version on businesswire.com: https://www.businesswire.com/news/home/20210413005031/en/

FAQ

What does the Mandiant M-Trends report 2021 reveal about median dwell time for cyber intrusions?

The 2021 report indicates that global median dwell time for cyber intrusions has dropped to 24 days, a significant improvement from 56 days in the previous year.

How has internal detection of cyber incidents changed according to FireEye's report?

The report shows that internal detection of cyber incidents rose to 59% in 2020, a 12-point increase compared to 2019.

Which industries were most targeted by cybercriminals in 2020?

The report highlights that Business and Professional Services, Retail and Hospitality, Financial, Healthcare, and High Technology were the top five targeted industries.

What were the primary motives behind cyber intrusions noted in the Mandiant report?

The report indicates that direct financial gain was the primary motive for at least 36% of the intrusions investigated.

What challenges are organizations facing in the context of cybersecurity as reported by FireEye?

Organizations are facing unique challenges due to the shift to remote work, complicating their ability to contain adversaries.