In the constantly evolving world of cybersecurity, staying ahead of emerging threats requires continuous vigilance and adaptation. Fortunately for those of us in the industry, we’ve been able to count on highly respected digital forensics and incident response specialists like Mandiant to publish annual research on the latest security trends seen first-hand by their global teams.
Their latest Mandiant M-Trends report (its 15th edition) came out not long ago, and I wanted to share some of the more interesting findings that, by and large, align with Corelight’s view of the world as a premier network security vendor. Given the strategic partnership we have with the Mandiant team and their preference for Corelight in their incident response engagements, I was curious to see what the latest report had to say about the importance of advanced network detection and response (NDR) in supporting our combined mission to help keep every organization safe from cyberthreats.
If you’re familiar with the annual M-Trends report, you know that it offers an in-depth look into the most pressing threats and trends around the most active global threat groups and their tactics, techniques, and procedures (TTPs), based on the company’s global incident response teams. Having attended one of the recent Google Cloud Security SecOps Workshops, where Mandiant researchers shared some of the key findings, I wanted to peer further into the report to assess how some of the primary trends intersected with what we at Corelight are seeing with our own customers and partner ecosystem.
It’s worth mentioning that I’ll be only hitting on some major themes in the report since such an extensive publication includes more than that which I wanted to share as I reviewed the findings through the lens of advanced network telemetry. To get a full view of the Mandiant findings, including details on threat actors, specific campaigns, and breakdowns across geographies, I suggest you download the report and review how the findings and trends align with what your organization is seeing.
The primary objective of publishing the report is to share insight into where cybercriminals are finding success in an effort to help organizations understand “the enemy” better so they can channel their resources more effectively. As Sun Tzu said in The Art of War, “if you know yourself but not the enemy, for every victory gained you will also suffer a defeat”. So with those immortal words, let’s dive into some of the global trends that I found interesting, given Corelight’s role in threat detection and response.
1Mandiant (now part of Google Cloud) is an important Corelight alliance partner.
Let’s start with some summary findings on how things are trending. First, the good news. The report cited that median dwell time (the time between an adversary’s initial intrusion and their detection) continued to decline, reaching an all-time low of ten days, on average. This is a reduction of nearly a full week compared to the prior year. While this is indeed news to celebrate, part of this results from the increase of ransomware attacks where perpetrators are eager to notify their victims quickly and demand the ransom. In these cases, the mantra is “Get in, demand the ransom, and move on!”
Another interesting point highlighted in the report is that attackers are focusing more on evasion tactics than ever before. Those not conducting a ransomware attack are getting much more clever at avoiding traditional detection technologies, such as endpoint detection and response (EDR), to maintain persistence on networks to conduct campaigns that can last for weeks and months. To do so, criminals are showing an increased ability to target edge devices that can’t support EDR agents and, therefore, alert security teams that something is amiss. Another tactic being used successfully is the abuse of legitimate remote administrator tools that are also less likely to be flagged by existing defenses.
CrowdStrike shared a similar finding in their latest Global Threat Report, where they recognized that “threat actors have adapted to the enhanced visibility of traditional endpoint detection and response (EDR) sensors [and] are now targeting the network periphery, where defender visibility is reduced by the possibility that endpoints may lack EDR sensors or cannot support sensor deployment.” Attackers seem poised to continue exploiting the lack of visibility of these devices, which count in the hundreds, if not thousands, in most large enterprises.
The Mandiant report also pointed out the increase in intrusions that exploit the lack of visibility into the many hypervisors deployed across an organization’s hybrid and multicloud environments. They assert that while “instrumenting endpoint visibility on the guest virtual machines is relatively easy, instrumenting visibility on the hypervisor itself can present substantial challenges”. Similar to that with network edge devices, the challenge with hypervisors is that they are rarely supported by most EDR platforms, and to counter this increasing risk, Mandiant highly recommends that organizations extend their high-fidelity monitoring and detection capabilities to all network activity, including within their cloud environments.
2CrowdStrike Global Threat Report, February 2024.
As far as attack techniques used, the 2023 numbers were consistent with those observed in 2022, with the top 10 most frequently seen techniques showing little change over the last several years. During the initial compromise phase, researchers saw exploits as the most frequent attack vector, which represented 38% of overall attacks (up 6% from the prior year). Phishing ranked second as an initial infection technique at 17% but declined 5% year-to-year. Attacks leveraging a prior compromise rose slightly by 3% and ranked third with 15% of total initial intrusions identified by the company’s incident response teams.
Interestingly, of the 38% of attacks that used exploits for initial compromise, two of the three most targeted vulnerabilities were related to edge devices, which also featured prominently in the prior M-Trends report. These activities were described as “Living off the Edge” campaigns, and researchers highlighted that Russia’s GRU teams were leveraging these exploits successfully against Ukraine in 2022. Again, we see that these attacks were exceedingly difficult to identify because EDR technologies are not designed to support edge devices. Without access to detailed network and cloud telemetry, defenders are blind to the evidence that can easily identify adversaries hiding and maintaining persistence across their networks. With the extent of network devices, VPNs, and firewalls resident on every organization’s network, this increasingly popular threat vector is an easy one to redress with advanced NDR.
Once inside a network, Mandiant points out that attackers are finding increasing success moving laterally by using existing system tools like PowerShell and PsExec that allow them to conduct operations while remaining undetected since these are legitimate tools system administrators use every day. Researchers point out that these tools, “have become a new preferred safe haven for attackers” since they enable them to maintain long-term persistence with a much lower risk of detection. As a defense, Mandiant experts advise organizations to not only monitor their networks at the operating system layer, but also expediently patch, maintain, and monitor the underlying infrastructure supporting their hybrid and multicloud networks.
Regarding what attackers did after gaining access to a victim’s network, researchers saw a virtual tie between the top two: those seeking financial gain through extortion methods, like ransomware, and those stealing data. The figures were 36% and 37%, respectively. Not surprisingly, ransomware-related intrusions represented almost two thirds of financially motivated intrusions and 23% of all intrusions last year.
On the data theft side, Mandiant experts saw a slight decline from the 2022 figures from 40% to 37% in their 2023 investigations. As you might expect, half of these cases involved financially motivated data theft, while the other half were mostly identified as espionage and data theft designed to facilitate reconnaissance of an adversary’s target networks. The financially motivated investigations in the data theft category were separated from those included in the core financially motivated category because the latter were not concerned with data theft to carry out their mission.
Overall, more than half of the attackers observed in 2023 (52%) were primarily motivated by financial gain, while 10% pursued espionage activities. This trend highlights the growth and popularity of ransomware and extortion-based attacks.
Other global trends I found interesting were the breakdown of malware families and the threat techniques identified across the team’s incident response investigations. Regarding malware, the researchers found that the top five malware categories have largely remained constant over the prior year. Those included backdoors (33%), downloaders (16%), droppers (15%), credential stealers (7%), and ransomware (5%). Topping the list as the most frequent malware observed last year was the BEACON (backdoor), which was seen in 10% of all Mandiant investigations in 2023.
The top 10 most commonly used MITRE ATT&CK techniques observed in 2023 were consistent with the prior year, and, in fact, showed little change over the past several years. Diving deeper into this, Mandiant found that bad actors are finding increasing success using MITRE sub-techniques, like PowerShell (T1059.001), Web Protocols (T1071.001), Remote Desktop Protocol (T1021.001), Service Execution (T1569.002), and File Deletion (T1070.004). The researchers contend that these internal tools have become more commonplace by attackers because they can easily blend in their criminal activities with the legitimate daily use by internal system and network admin teams.
Longer term, here are several of the major trends the Mandiant team has observed over the last 2-3 years that readers might also find interesting:
If you’re in the cybersecurity field and enjoy reading through the latest trends in threats, threat actors, and the methods they’re finding successful, you’ll enjoy reading through the findings in this year’s M-Trends report. While I only touched on a handful of key findings that caught my eye on where and how even less-skilled criminals are finding the most success, I recommend reviewing it for yourself to dig into the details and, more importantly, learn how these trends are or might be affecting your own organization. A single blog can’t possibly do the entire report justice.
Nevertheless, with the aim to using reports like this to help maintain a more secure posture across your environment, here are some primary suggestions offered by the Mandiant research team:
To learn more about how Corelight is working with Google Mandiant, visit the Corelight for Google Cloud homepage.