Full Report
Attackers are taking greater strides to evade detection. This is one of the running themes in our latest release: M-Trends 2024. This edition of our annual report continues our tradition of providing relevant attacker and defender metrics, and insights into the latest attacker tactics, techniques and procedures, along with guidance and best practices on how organizations and defenders should be responding to threats. This year’s M-Trends report covers Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023 and December 31, 2023. During that time, many of our observations demonstrate a more concerted effort by attackers to evade detection, and remain undetected on systems for longer periods of time: Increased targeting of edge devices, and platforms that traditionally lack endpoint detection and response solutions. A more than 50% growth in zero-day usage over the same reporting period in 2022, both by espionage groups as well as financially-motivated attackers. More “living off the land,” or use of legitimate, pre-installed tools and software within an environment. Despite the increased focus on evasion by attackers, we are pleased to report that defenders are generally continuing to improve at detecting threats. Dwell time represents the period an attacker is on a system from compromise to detection, and in 2023 the global median dwell time is now 10 days, down from 16 days in 2022. While various factors (such as ransomware) help drive down dwell time, it’s still a big win for defenders. We can’t let up, however. Mandiant red teams need only five to seven days on average to achieve their objectives, so organizations must remain vigilant. Other M-Trends 2024 metrics include: 54% of organizations first learned of a compromise from an external source (down from 63% in 2022), while 46% first identified evidence of a compromise internally. Our engagements most frequently occurred at financial services organizations (17.3%), business and professional services (13.3%), high tech (12.4%), retail and hospitality (8.6%), healthcare (8.1%), and government (8.1%). The most common initial infection vectors were exploits (38%), phishing (17%), prior compromise (15%), and stolen credentials (10%). Additional topics covered in detail in M-Trends 2024 include Chinese espionage operations targeting the visibility gap, the evolution of phishing amid shifting security controls, the use of adversary-in-the-middle to overcome multi-factor authentication, cloud intrusion trends, and the role of artificial intelligence in red and purple team engagements. With the release of M-Trends 2024, we hope to arm security professionals with insights from the frontlines of the latest, constantly evolving cyber attacks, and to provide actionable learnings to improve organizations’ security postures. Read M-Trends 2024 now, and register today for our webinar series to get a closer look from experts about the data and insights in this year’s report. M-Trends 2024: Executive Edition is also available to read now, featuring a high-level overview of each section, along with key takeaways. Finally, listen to our M-Trends 2024 podcast to hear more perspectives on the report.
Analysis Summary
# Industry News: Mandiant Releases M-Trends 2024 Highlighting Stealthier Tactics and Smarter Defenders
## Summary
Google Cloud’s Mandiant released its 15th annual M-Trends report, revealing a significant shift toward stealthier evasion techniques by cyber adversaries, including a 50% surge in zero-day exploits and targeting of "unmanaged" edge devices. Despite these sophisticated threats, global median dwell time has dropped to a record low of 10 days, signaling a maturation in corporate detection capabilities and the influence of rapid-onset ransomware.
## Key Details
- **Date:** April 23, 2024
- **Companies Involved:** Mandiant (Google Cloud), Google
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
The M-Trends 2024 report, based on Mandiant Consulting investigations throughout 2023, paints a picture of a "cat-and-mouse" game reaching new levels of sophistication. Attackers are increasingly moving toward the "visibility gap"—targeting edge devices (routers, firewalls, IoT) and platforms that lack Endpoint Detection and Response (EDR) agents. This is coupled with a heavy reliance on "Living off the Land" (LotL) techniques, where attackers use built-in administrative tools to blend in with legitimate network traffic.
While espionage groups remain the primary users of zero-day vulnerabilities, financially motivated actors are now adopting these high-cost exploits at a faster rate. However, the industry’s defensive posture is improving. For the first time, nearly half (46%) of organizations are detecting their own breaches internally, and the median dwell time—the time an attacker goes unnoticed—has fallen from 16 days in 2022 to just 10 days in 2023.
## Business Impact
### For the Companies Involved
- **Mandiant/Google Cloud:** Solidifies Google’s position as a premier provider of high-end threat intelligence. This report serves as a primary marketing and thought-leadership vehicle, justifying the premium pricing of Google Cloud’s security suite.
### For Competitors
- **CrowdStrike, Palo Alto, Microsoft:** These competitors face pressure to match Mandiant’s frontline visibility. The data validates a move toward "Edge Security" and "XDR" (Extended Detection and Response), forcing competitors to prove their efficacy against LotL and zero-day threats.
### For Customers
- **Resource Allocation:** Organizations are being signaled to shift budget away from traditional endpoint security toward edge device monitoring and identity-centric security (due to the rise in MFA-bypass/Adversary-in-the-Middle attacks).
### For the Market
- **Market Maturity:** The drop in dwell time suggests that the billions of dollars invested in cybersecurity over the last decade are finally showing measurable returns in detection speed.
## Technical Implications
The report highlights three major technical shifts:
1. **The Edge as a Blind Spot:** Critical infrastructure like firewalls and load balancers are becoming the new "entryway" because they cannot host traditional security software.
2. **Zero-Day Democratization:** Zero-day exploits are no longer the exclusive domain of nation-states.
3. **MFA Evasion:** Adversaries are increasingly using "Adversary-in-the-Middle" (AiTM) techniques to bypass multi-factor authentication, rendering traditional SMS or Push-based MFA less effective.
## Strategic Analysis
- **Market Positioning:** Mandiant leverages this report to move from being a "reactive" incident response firm to a "proactive" strategic advisor.
- **Competitive Advantage:** Direct visibility into 2023's biggest breaches gives Mandiant a data advantage that non-consulting-led security firms lack.
- **Challenges:** The report notes that Mandiant's own Red Teams only need 5-7 days to achieve objectives. This means that while 10 days of dwell time is a "win," it is still too slow to prevent a determined attacker from completing their mission.
## Industry Reactions
- **Analyst Opinions:** Analysts generally view the 10-day dwell time as a milestone, though they caution that the "ransomware effect" (where attackers reveal themselves to demand payment) may be artificially deflating this number.
- **Market Response:** The focus on "visibility gaps" in edge devices is expected to drive increased interest in SASE (Secure Access Service Edge) and Network Detection and Response (NDR) solutions.
## Future Outlook
- **Predictive AI:** We should expect a rise in AI-driven red teaming and automated adversary simulations as organizations try to close the 3-5 day gap between current detection (10 days) and attacker objective completion (5-7 days).
- **China-Nexus Threats:** The report specifically warns of continued Chinese espionage targeting the "visibility gap," suggesting this will be a primary geopolitical cybersecurity focus in 2024-2025.
## For Security Professionals
- **Prioritize Edge Monitoring:** If you aren't monitoring your firewalls and edge gateways for unusual outbound traffic, you have a critical blind spot.
- **Update MFA Strategies:** Move toward FIDO2/Hardware-based keys where possible to mitigate AiTM attacks.
- **Audit "Living off the Land":** Focus on behavioral analytics rather than just hunting for malware. Attackers are using your own tools against you.