The FireEye Mandiant M-Trends 2021 report was released by FireEye. This year’s report includes information on emerging attacker strategies and malware, the spread of multifaceted extortion and ransomware, planning for anticipated UNC2452 / SUNBURST copycat threat actors, rising insider attacks, and pandemic and industry targeting patterns. Additional research findings are outlined in the following section.
Commenting on the development, Sandra Joyce, Executive Vice President, Global Threat Intelligence, Mandiant, said that “UNC2452, the threat actor responsible for the SolarWinds supply chain attack, reminds us that a highly-disciplined and patient actor cannot be underestimated. This actor’s attention paid to operational security, counter forensics, and even counterintelligence set it apart from its peers. Defense against this actor will not be easy, but it is not impossible. We have learned a great deal about UNC2452 in recent months, and we believe that intelligence will be our advantage in future encounters,”
For the First Time, the Global Median Dwell Time Falls Below One Month
Mandiant has noticed a downward trend in global median dwell time over the last decade (defined as the duration between the start of a cyber intrusion and when it is identified). This metric has decreased from over a year in 2011 to just 24 days in 2020, which is more than twice as fast as last year’s report, which had a median dwell time of 56 days. This decrease, according to Mandiant, is due to the continued growth and enhancement of organisational detection and response capabilities, as well as an increase in multifaceted extortion and ransomware intrusions.
The trends in median dwell time differed by area. The Americas’ region began to decline. The Americas saw the greatest improvement in median dwell time for events discovered internally, falling from 32 days to just 9 days, marking the first time an area has dipped into single digits. In contrast to the Americas, APAC and EMEA experienced an average rise in median dwell time, which Mandiant experts conclude is due to a higher number of intrusions with dwell times exceeding 3 years.
Rising Internal Detections
Although previous year’s study noted a decrease in internal intrusion detections relative to the year before, Mandiant experts witnessed a return of organisations detecting most of their own incidents independently. Internal incident detection increased by 12 points from 2019 to 59 percent in 2020. This return to companies detecting the majority of intrusions within their ecosystems follows a 5 year pattern.
Internal detection, in particular, was up year over year in all areas. The Americas led the internal detection trendline with 61 percent, followed by EMEA and APAC, which were closely aligned with 53 percent and 52 percent, respectively. In contrast to North America, APAC and EMEA organisations issued more notices of compromise from external agencies.
Retail, Hospitality, and Healthcare are the Targets of the Attackers
Business and professional services, retail and hospitality, financial, healthcare, and high technology are the top 5 most targeted industries, in that order.
Retail and hospitality organisations were targeted more heavily in 2020, according to Mandiant analysts, coming in as the second most targeted sector, up from 11th in last year’s survey. Healthcare jumped from eighth place last year to third place in 2020, up from eighth place in the previous survey. The critical position played by the healthcare sector during the global pandemic is most likely to blame for the increased attention of threat actors.