Global median dwell time declines to just over two weeks

According to the M-Trends 2023 report, the global median dwell time – which is calculated as the median number of days an attacker is present in a target’s environment before being detected – continues to drop year-over-year down to 16 days in 2022. This is the shortest median global dwell time from all M-Trends reporting periods, with a median dwell time of 21 days in 2021.

When comparing how threats were detected, Mandiant observed a general increase in the number of organisations that were alerted by an external entity of historic or ongoing compromise. Organisations headquartered in the Americas were notified by an external entity in 55% of incidents, compared to 40% of incidents last year. This is the highest percentage of external notifications the Americas has seen over the past six years. Similarly, organisations in Europe, the Middle East and Africa (EMEA) were alerted of an intrusion by an external entity in 74% of investigations in 2022 compared to 62% in 2021.

Mandiant identified extensive cyber espionage and information operations leading up to and since Russia’s invasion of Ukraine on 24 February 2022. Most notably, Mandiant saw activity by UNC2589 and APT28 prior to the invasion of Ukraine and observed more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years.

In 2022, Mandiant began tracking 588 new malware families, revealing how adversaries are continuing to expand their toolsets. Of the newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%). These categories of malware remain consistent over the years and backdoors continue to represent a little over one third of the newly tracked malware families.

In line with previous years, the most common malware family identified by Mandiant in investigations was BEACON, a multi-function backdoor. In 2022, BEACON was identified in 15% of all intrusions investigated by Mandiant and remains by far the most seen in investigations across regions. It has been used by a wide variety of threat groups tracked by Mandiant, including nation state-backed threat groups attributed to China, Russia and Iran, as well as financial threat groups and over 700 UNC groups. This ubiquity is likely due to the common availability of BEACON combined with the malware’s high customisability and ease of use, according to the report.

The goal of M-Trends is to arm security professionals with insights on the latest attacker activity as seen directly on the frontlines, backed by actionable intelligence to improve organisations’ security postures within an evolving threat landscape. To meet this objective, Mandiant provides insight into some of the most prolific threat actors and their expanding tactics, techniques and procedures.

To further support this objective, Mandiant mapped an additional 150 Mandiant techniques to the updated MITRE ATT&CK framework, bringing the total to 2 300+ Mandiant techniques and subsequent findings associated with the ATT&CK framework. Organisations should prioritise which security measures to implement based on the likelihood of a specific technique being used during an intrusion.