M-Trends 2023: Lessons from this year's cyberattack frontlines report

Cyber threat actors with fewer technical skills than ever before are carrying out attacks that are having huge impacts on organizations in the public and private sectors. Despite a decreasing level of technical proficiency, these cyberattack operations have resulted in data theft, stolen intellectual property, and significant reputational damage.

That’s just one of many important takeaways from Mandiant’s latest M-Trends report on the evolving cyber threat landscape, published today. Since 2009, M-Trends has provided essential analysis and by-the-numbers insights into cyberattacks, online threat actors, and the state of cybersecurity. As the security landscape has grown, changed, and moved to the cloud, we’ve seen organizations targeted without remorse. The key takeaways in M-Trends can help senior leaders and boards of directors to understand the cyber risks they face, and how best to ensure that their organizations are prepared.

The goal of every M-Trends report remains the same: to provide to the security and IT communities some of the same vital intelligence that Mandiant shares with its customers to help them strengthen their security programs and defend against emerging risks. 

"M-Trends 2023 makes it clear that, while our industry is getting better at cyber security, we are combating ever evolving and increasingly sophisticated adversaries. Several trends we saw in 2021 continued in 2022, such as an increasing number of new malware families as well as rising cyber espionage from nation-state-backed actors,” said Jurgen Kutscher, vice president of Mandiant Consulting at Google Cloud.

M-Trends provides a look back at notable security incidents from the previous year with an eye towards measuring how cyber activities evolve to help guide us through the current moment. The information and analysis in this year’s report are based on Mandiant Consulting investigations conducted between January 1, 2022 and December 31, 2022.

We provide numerous takeaways for senior leaders and boards of directors in our M-Trends 2023 Executive Summary, but three in particular stand out:

Ongoing, targeted cyberattacks conducted explicitly in the service of real-world conflicts have weakened the already porous wall between digital and physical worlds. Look no further than Russia’s invasion of Ukraine and how operators are supporting the North Korean regime for evidence of tactics that other nation-state-backed threat groups might soon adopt. Understanding their operations, and the operations of the threat groups that adopt their tactics, can help organizations better prepare for future cyber threats.

Threat actors are getting more aggressive in the real world. We’ve seen a growing willingness from threat actors to “get more personal” — to harass and intimidate targets, and even to threaten them with physical violence. At least two threat groups have threatened executives and highly-privileged network and system administrators during cyberattacks, hoping to coerce these high-priority employees to pay a ransom or submit to demands. Combining cyberattacks with personal threats is an evolution of the attack surface, and defenders might have to consider personal protection for specific individuals as a part of protecting their organization. 

It can be harder to protect hybrid on-premise and cloud networks than it is to protect cloud-only networks. Extensive planning is often required to secure hybrid networks, especially because hybrid systems create an expanded attack surface that threat actors can more easily target, and integrating cloud and on-premise can lead to misconfigurations which weaken an organization’s security posture. Testing cloud architecture deployments, including the use of red teams, can help an organization become more resilient to threats and better understand its risk profile.

Given those points, Mandiant recommends in the report that organizations stay vigilant against “unsophisticated yet persistent attackers” when determining their cyber risk posture and how best to position their security teams and infrastructure. Organizations must also be ready for cybercrime. Despite a slight reduction in the number of investigations involving ransomware, it’s still a big threat with the ability to cause significant impact to business.

“While we don’t have data that suggests there is a single cause for the slight drop in ransomware-related attacks that we observed, there have been multiple shifts in the operating environment that have likely contributed to these lower figures,” said Sandra Joyce, vice president of Mandiant Intelligence at Google Cloud. 

“These factors include, but are not limited to: ongoing government and law enforcement disruption efforts targeting ransomware services and individuals, which at minimum require actors to retool or develop new partnerships; the conflict in Ukraine; actors needing to adjust their initial access operations to a world where macros may often be disabled by default, as well as organizations potentially getting better at detecting and preventing or recovering from ransomware events at faster rates,” she said.

By the numbers: The data of M-Trends

In a positive development, globally, attacks are being detected faster, with improvements seen in the Americas and EMEA regions, but not in the APAC region. The global median dwell time, which is the time between when an organization is compromised and when the attack is discovered, was 16 days in 2022. Overall that’s an improvement from the previous year, which had a global median dwell time of 21 days.

The report found that security vendors and other external sources are notifying organizations of compromises more often than internal security teams are finding them. However, when internal teams detect attacks, they do it faster than an external team. When a security breach is identified internally, the global median dwell time is 13 days. External sources of breach notification had a global median dwell time of 19 days.

To gain access to organizations, attackers are leveraging what works best in different regions. Exploits are the most successful method for launching an initial cyberattack in the Americas, where 38% of cyberattacks start that way. In EMEA (Europe, the Middle East, and Africa), 40% of successful attacks start with phishing, and 33% of successful attacks begin with prior compromises in the APAC region. 

Cybersecurity considerations

The threat landscape remains dynamic and complex, and we expect these trends to continue in 2023 and beyond. Preparing for and responding to threats requires planning, training, and vigilance. Organizations should consider regularly testing defenses against the most relevant threats; exercises for executives, Legal, Comms and other personnel that game out how a realistic cyberattack scenario could unfold; and social engineering and other training sessions for all employees, especially those who are likely to be targeted such as senior leaders and privileged users. Building strong defenses requires sound fundamentals, such as vulnerability and patch management, implementation of least privilege access, and reducing the organizations attack surface with security hardening. 

There is a clear connection between threat intelligence and risk mitigation, yet leaders in the organization often experience a gap between knowing the need for better intelligence on threat actors, and why threat actors are targeting them in the first place. Boards can work to bridge these intelligence gaps and ensure this information is playing a leading role in risk management decisions.

Overall, M-Trends 2023 highlights that attackers can cause bigger impacts today — with fewer skills. We noticed positive trends such as improved detection times, and more challenging ones such as the situation in Ukraine and the merging of the real and cyber worlds. As attackers grow more brazen, and demonstrate a willingness to get much more aggressive and personal, we encourage everyone reading the report to consider evaluating the risks they face and how best to protect their organizations.