The global threat landscape continues to diversify with new groups and new tools launching attacks, according to a new FireEye Mandiant report.

The FireEye Mandiant M-Trends 2021 report provides statistics and insights gleaned from recent frontline Mandiant investigations around the globe. In its 12th year, the report’s release coincides with this week’s FireEye Mandiant Virtual Summit.

The report shows detection capabilities are improving, while ransomware surges on.

Ransomware actors used new extortion techniques to further pressure organizations into submitting to their demands. In addition, FIN11, a recently named financially motivated threat group, was responsible for widespread phishing campaigns.

Steven Stone is senior director of advanced practices at FireEye Mandiant.

FireEye’s Steven Stone

“The continuing diversity of the threat landscape is the most surprising finding,” he said. “While this is not a net-new trend, it continues year over year. We witnessed more net-new groups using net-new tools at the same time we saw the highest number of known groups and tools active across our event responses. Additionally, the diversity across groups continues to blend the lines of motivations, tool uses, and in some cases attempts to appear as a different threat type.”

Dwell Time Drops Below One Month for First Time

Over the past decade, Mandiant has seen a trending reduction in global median dwell time. That’s the duration between the start of a cyber intrusion and when someone identifies it. This measure went from over one year in 2011 to just 24 days in 2020. That’s more than twice as quickly identified compared to last year’s median dwell time of 56 days.

“Mandiant believes the combined improvements in detections from internal teams and also the continued reduction in median global dwell times indicate improvements on the organization side,” Stone said. “While some of these trends are likely due to ransomware, these progress areas are also highly likely due to maturing clients, continued innovations across the cybersecurity industry, and government/partnership efforts.”

Median dwell time trends varied by region. The Americas continued to decrease, dropping from 32 days down to only nine days. That marks the first time a region has dipped into single digits.

Conversely, APAC and EMEA experienced an overall increase in median dwell time. Mandiant believes that’s influenced by a greater number of intrusions with dwell times extending beyond three years, as compared to the Americas.

Internal Detections on the Rise

Last year’s report noted a drop in internal detections of intrusions compared to the previous year. However, Mandiant observed a return of organizations independently detecting most of their own incidents.

Internal incident detection rose to 59% in 2020. That’s a 12-point increase from 2019. This return to organizations detecting the majority of intrusions within their environments is in line with the overall trend observed over the last five years.

Notably, internal detection rose across all regions year-over-year. Organizations in the Americas led the internal detection trendline at 61%. EMEA and APAC followed, closely aligned at 53% and 52%, respectively.

In comparison, APAC and EMEA organizations got more notifications of compromise from external entities, versus organizations in the Americas.

Most Targeted Industries

The top five most targeted industries, in order, are business and professional services, retail and hospitality, financial, health care and high tech.

Mandiant says malicious hackers targeted organizations in retail and hospitality more heavily in 2020. That sector moved to second, compared to 11th in last year’s report.

This increased focus by threat actors can most likely be explained by the vital role the health care sector played during the global COVID-19 pandemic.

“M-Trends highlights the variety of threat groups seen over time, across our event responses,” Stone said. “And in 29% of our event responses, we encountered multiple groups. This challenge from a high number of malicious actors and routine nature of multi-threat group response is a difficult challenge for MSSPs and cybersecurity providers. This also provides an opportunity to conduct nuanced, tailored event response based on actor knowledge and expectations. Put simply, different threats require different responses for effective remediation. We hope to enable MSSPs and others in their understanding of this element in event response to drive holistic tailored response actions.”