Mandiant: Attacker dwell time down, ransomware up in 2023

Mandiant's 'M-Trends' 2024 report offered positive signs for global cybersecurity but warned that threat actors are shifting to zero-day exploitation and evasion techniques.

Mandiant found that while attacker dwell time decreased in 2023, ransomware and other threats continued to rise.

The cybersecurity company published on Tuesday its 'M-Trends 2024 Special Report,' which offered some bright spots for organizations amid an increasingly complex and expansive threat landscape. According to the report, which is based on Mandiant Consulting investigations during 2023, the global median dwell time for attackers fell to its lowest point since the company began tracking the metric in 2011. Dwell time, which is the number of days that an attacker is present in an environment before being detected, decreased nearly a week -- from 16 days in 2022 to 10 days last year.

Just six years ago, the median dwell time was 78 days, according to Mandiant. The report also said internal detection of intrusions improved in 2023, with the global median falling to nine days from 13 days the year before.

"Broadly, the long-term trends of declining median dwell time and increasing rates of internal discovery of compromises indicate that organizations have made meaningful, measurable improvements in their defensive capabilities," the report read.

Another positive development was the increase in compromises detected internally by the targeted organization, which accounted for 46% of all intrusions last year compared with 37% in 2022. "This likely indicates that detection capabilities continue to improve across organizations," Mandiant said, which enables security teams to catch threat actors during the initial infection and reconnaissance phases of an attack.

Mandiant said the overall decrease in dwell time suggests that communication has improved between targeted organizations and external parties such as cybersecurity companies, who detect malicious activity and notify the victims. However, the company also said an increase in ransomware attacks could have been a factor as well because threat actors typically notify their victims of intrusions through ransom notes.

Ransomware and zero days

Like other cybersecurity companies, Mandiant observed an increase in ransomware activity in 2023. Investigations involving ransomware rose to 23% last year, compared to 18% in 2022. "This brings the percentage of ransomware-related intrusions back to where it was previously in 2021," the report read.

Many cybersecurity vendors observed a decline in ransomware activity in 2022, and experts generally attributed the temporary decrease to factors such as Russia's invasion of Ukraine and law enforcement actions such as sanctions and takedown operations.

In addition to the modest rise in attacks, Mandiant also reported that intrusions involving ransomware took longer to identify than attacks that did not feature ransomware. The company noted that in 70% of ransomware intrusions, the targeted organizations were notified by external parties, primarily from attackers' ransom demands.

However, Mandiant also reported some positive trends. "Intrusions involving ransomware were detected in six days when the notification came from an internal source, compared to 12 days in 2022," the report read. "Defenders were notified of ransomware-related intrusions from an external party in five days in 2023, two days quicker than what was observed in 2022."

Nick Richard, senior manager of Mandiant Intelligence at Google Cloud, said ransomware actors aren't necessarily improving their evasion techniques. But they are attempting to speed up their attack timelines to get ahead of defenders.

"The increase in the prevalence of ransomware-related intrusions, up five percent in 2023 combined with the change in global ransomware dwell time from nine days to five, may be more indicative of adversary's effort to accelerate their time to ransom execution due to increased risk of exposure as Mandiant has observed improvements in dwell time across all investigation types and notification sources," he told TechTarget Editorial.

Despite the encouraging data, Mandiant warned that threat actors of all types have increased their focus on evasion techniques, primarily through the exploitation of zero-day vulnerabilities. "In 2023, when the initial intrusion vector was identified, an exploit was observed 38% of the time. Mandiant continues to observe both cyber espionage and financially motivated attackers leveraging zero-day vulnerabilities to conduct their operations."

Mandiant said the most prevalent zero day in 2023 was CVE-2023-34362, a critical vulnerability in Progress Software's MoveIt Transfer managed file transfer product. Emsisoft estimated that attacks affected more than 2,000 MoveIt Transfer customers.

While Chinese cyber espionage groups exploited the most zero days in 2023, Mandiant warned such threats are "no longer a niche capability" limited to nation-state actors. "The rise of zero-day exploitation by ransomware and data theft extortion groups, continued state-sponsored exploitation, and the growth of turnkey or off-the-shelf capabilities that can be purchased from commercial surveillance vendors will continue to drive the identification of zero-day vulnerabilities and exploits that target them," the report said.

Along with zero days, the "M-Trends 2024 Special Report" noted that attackers are also embracing other approaches to evade detection, such as living off the land tactics. These involve threat actors using legitimate products and existing tools within a targeted environment to move laterally and gain access to sensitive data.

Richard noted that threat actors shifted away from popular backdoors such as Cobalt Strike Beacon over the last three years. "This likely is related to attackers moving from explicit malware usage on to leveraging memory resident malware, abusing third-party remote administration tools and employing more living off the land techniques that would generally make attackers more successful at evading endpoint security technologies," he said.

Additionally, attackers are increasingly targeting edge network devices and other technologies that may not be protected by detection and response products. Mandiant also warned of an increase in compromised cloud identities through MFA bypass attacks. "Most notable is the increasing adoption of web proxy or adversary-in-the-middle phishing pages, which are capable of rendering most MFA implementations ineffective by stealing sensitive login session tokens."

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.

Next Steps

Mandiant: Ransomware investigations up 20% in 2023

Dig Deeper on Threat detection and response