Mandiant, Inc. the findings of Mandiant® M-Trends® 2022, an annual report that provides timely data and insights based on Mandiant frontline investigations and remediations of high-impact cyber attacks worldwide. The 2022 report––which tracks investigation metrics between October 1, 2020 and December 31, 2021—reveals that while significant progress has been made in threat detection and response, Mandiant continues to see adversaries innovate and adapt to achieve their mission in targeted environments.
Global Median Dwell Time Drops to Three Weeks
According to the M-Trends 2022 report, the global median dwell time––which is calculated as the median number of days an attacker is present in a target’s environment before being detected––decreased from 24 days in 2020 to 21 days in 2021. Digging deeper, the report notes that the APAC region saw the biggest decline in median dwell time, dropping to just 21 days in 2021 compared to 76 days in 2020. Median dwell time also fell in EMEA, down to 48 days in 2021 compared to 66 days the year before. In the Americas, median dwell time stayed steady at 17 days.
When comparing how threats were detected across different regions, the report found that in EMEA and APAC, the majority of intrusions in 2021 were identified by external third parties (62% and 76%, respectively), a reversal of what was observed in 2020. In the Americas, the detection by source remained constant with most intrusions detected internally by organizations themselves (60%).
Organizations’ improved threat visibility and response as well as the pervasiveness of ransomware––which has a significantly lower median dwell time than non-ransomware intrusions––are likely driving factors behind reduced median dwell time, per the report.
New Threats Emerge as China Ramps Up Espionage Activity
Mandiant continues to expand its extensive threat knowledge base through frontline investigations, access to the criminal marketplace, security telemetry and the use of proprietary research methods and datasets, analyzed by more than 300 intelligence professionals across 26 countries. As a result of relentless information gathering and analysis, Mandiant experts began tracking 1,100+ new threat groups during this M-Trends reporting period. Mandiant also began tracking 733 new malware families, of which 86% were not publicly available, continuing the trend of availability of new malware families being restricted or likely privately developed, according to the report.
Charles Carmakal, Senior Vice President and Chief Technology Officer, Mandiant, said, “Chinese cyber espionage activity ramped up significantly in recent years, with Asia and the U.S. remaining the most targeted regions. This year’s M-Trends report notes a specific focus on government organizations as well as the use of the same malware families among multiple cyber espionage actor sets, likely due to resource and tool sharing by disparate groups. Further, with the implementation of China’s 14th Five-Year Plan in 2021, we expect to see cyber espionage activity continue to accelerate in support of China’s national security and economic interests over the next few years.”
M-Trends 2022 also notes a realignment and retooling of China cyber espionage operations to align with the implementation of China’s 14th Five-Year Plan in 2021. The report warns that the national-level priorities included in the plan “signal an upcoming increase in China-nexus actors conducting intrusion attempts against intellectual property or other strategically important economic concerns, as well as defense industry products and other dual-use technologies over the next few years.”