Mandiant's annual M-Trends report offers valuable insights gleaned from their investigations throughout the year. The 2024 edition focuses on attacker tactics, techniques, and procedures (TTPs) observed in 2023, highlighting a concerning trend: attackers are actively prioritizing evasion.

This report summarizes the key takeaways from M-Trends 2024, exploring the evolving threat landscape, effective defense strategies, and the crucial role of threat intelligence.

Trend One: Evasion Tactics on the Rise

One of the most concerning findings is the growing focus on evasion by attackers. They are employing a variety of techniques to avoid detection, making it more challenging for defenders to identify and respond to threats promptly. Here are some of the key evasion tactics observed:

• Zero-day vulnerabilities: Attackers are increasingly exploiting zero-day vulnerabilities, which are previously unknown security flaws in software or hardware. These vulnerabilities are particularly dangerous because there are no existing patches or security measures in place to defend against them.
• Targeting edge devices: Attackers are shifting their focus towards compromising edge devices, such as internet of things (IoT) devices and operational technology (OT) systems. These devices are often overlooked by traditional security measures, making them easy targets for attackers to establish a foothold within a network.
• Living off the land (LotL): Attackers are increasingly leveraging legitimate tools and functionalities already available on a compromised system. This technique, known as living off the land, allows attackers to evade detection by blending in with normal system activity.

These evasion tactics pose a significant challenge for defenders. Traditional security measures that rely on signature-based detection may be ineffective against zero-day vulnerabilities and LotL techniques. Organizations need to adopt a more comprehensive security approach that incorporates threat intelligence, deception tactics, and continuous monitoring to identify and respond to these sophisticated attacks.

Trend Two: Positive Signs - Defenders are Improving Detection

Despite the rise of evasion tactics, there is some positive news. The report indicates that defenders are making progress in detecting threats more quickly. The global median dwell time*, which measures the time from initial intrusion to detection, has decreased to 10 days in 2023, down from 16 days in 2022. This suggests that security teams are becoming more effective at identifying and responding to cyber threats.

This improvement can be attributed to several factors, including:

• Increased investment in security tools and technologies: Organizations are investing in more sophisticated security tools, such as endpoint detection and response (EDR) solutions and threat intelligence platforms, which can help them detect and respond to threats faster.
• Improved security awareness training: Security awareness training programs can help employees identify phishing attempts, social engineering tactics, and other common attack vectors.
• Focus on threat intelligence: Threat intelligence provides organizations with valuable insights into the latest attacker TTPs and emerging threats. This information can be used to proactively hunt for threats within the network and improve the effectiveness of security controls.

*Dwell time: Dwell time is calculated as the number of days an attacker is present in a compromised environment before they are detected. The median represents a value at the midpoint of a dataset sorted by magnitude.

Trend Three: Ransomware Remains a Major Threat

Ransomware continues to be a significant threat for organizations of all sizes. The M-Trends report highlights a rise in ransomware-related intrusions*, accounting for 23% of all investigations in 2023 compared to 18% in 2022. This trend underscores the need for organizations to have a robust incident response plan in place to mitigate the impact of a ransomware attack.

Here are some key findings related to ransomware:

• Faster detection of ransomware: Organizations are detecting ransomware attacks faster, with a median detection time of five days in 2023 compared to nine days in 2022. This improvement is likely due to a combination of factors, including increased security awareness and better detection tools.
• External notification of ransomware attacks: Ransomware attacks are more likely to be discovered through external notification sources, such as law enforcement or security companies, compared to internal detection. This suggests that organizations may need to improve their internal monitoring capabilities to identify ransomware attacks earlier in the attack lifecycle.

*A ransomware-related intrusion provides access for or is associated with an attacker that has the primary goal of encrypting data, with the intention of extracting payment from the target in order to avoid further harm or to undo the malicious action.

Trend Four: Evolution of Phishing and Bypassing MFA

The report also explores the evolution of phishing tactics and the growing challenge of bypassing multi-factor authentication (MFA). Attackers are constantly adapting their phishing techniques to bypass traditional security controls. Here are some of the concerning trends observed:

• Social media and communication channels: Attackers are increasingly using social media platforms, SMS, and other communication channels to launch phishing attacks. These channels allow attackers to target victims with more personalized and believable messages.
• Adversary-in-the-middle (AiTM) attacks: Attackers are employing AiTM attacks to bypass MFA. In an AiTM attack, the attacker intercepts the communication between a user and a legitimate service, allowing them to steal credentials or gain unauthorized access.

The Cloud Security Landscape

Cloud infrastructure and resources are becoming increasingly attractive targets for attackers. The report highlights several trends related to cloud security:

• Exploiting cloud misconfigurations: Attackers are taking advantage of misconfigured cloud deployments to gain access to sensitive data or resources. Organizations need to ensure their cloud environments are properly configured and secured.
• Data breaches in the cloud: Cloud data breaches are a growing concern. Attackers are using a variety of techniques to steal data stored in the cloud, such as exploiting vulnerabilities in cloud storage platforms or compromising user credentials.

Cloud service providers (CSP) provide many tools to organizations to help detect and prevent common crypto miner schemes. First, all CSPs support authentication methods thatprovide additional security features beyond access keys and API secrets. Organizations should audit their cloud accounts and establish a program to remove any access keys, especially “root” or “superuser” access keys, and move towards modern role-based programmatic access secrets. Additionally, budgeting alerts and limits are a great way to monitor cloud accounts for abnormal spending. This is often a high-fidelity signal of a cryptocurrency scheme that has hijacked a cloud account. Finally, consider using a “secure by default” design for any new cloud environments. Secure by default bakes in vendor best practices to reduce the attack surface.

The Role of Artificial Intelligence (AI) in Security

The report explores the growing role of AI in security operations. Both defenders and attackers are leveraging AI to improve their capabilities:

• Red and purple teaming with AI: Mandiant highlights the use of AI in red and purple teaming exercises. Red teaming simulates real-world attacks to test an organization's security posture. Purple teaming combines red teaming with threat intelligence to create a more realistic and dynamic testing environment. AI can be used to automate tasks, analyze data, and identify potential security weaknesses during these exercises.
• AI-powered threat detection and hunting: Security vendors are increasingly developing AI-powered tools that can be used to detect and respond to threats faster. These tools can analyze network traffic, user behavior, and other data points to identify anomalies that may indicate a potential attack.

Importance of Threat Intelligence

The M-Trends report emphasizes the critical role of threat intelligence in today's security landscape. Threat intelligence provides organizations with actionable insights into the latest attacker TTPs, emerging threats, and vulnerabilities. This information can be used to:

• Proactively hunt for threats: Organizations can use threat intelligence to identify potential indicators of compromise (IOCs) within their network and proactively hunt for threats before they can cause damage.
• Prioritize security vulnerabilities: Threat intelligence can help organizations prioritize which security vulnerabilities to patch first based on the likelihood of them being exploited by attackers.
• Improve security awareness training: Threat intelligence can be used to inform security awareness training programs, ensuring employees are aware of the latest threats and attack vectors.

Building a Comprehensive Security Program

The report concludes by outlining the key components of a comprehensive security program that can help organizations defend against today's evolving cyber threats. Here are some of the recommendations:

• Regular testing: Organizations should conduct regular security testing exercises, such as red team and purple team engagements, to identify and address security weaknesses.
• Strong incident response plan: Having a well-defined and tested incident response plan is critical for minimizing the impact of a security breach.
• Core security practices: Organizations should implement core security practices such as vulnerability management, least privilege access controls, and system hardening.
• Comprehensive security program: A comprehensive security program should span the entire IT infrastructure, including cloud environments, on-premises systems, and operational technology (OT) systems.
• Threat intelligence-driven security: Threat intelligence should be integrated into all aspects of an organization's security program to inform detection, prevention, and response activities.

The Cloud Security Expert You Can Trust: CloudMile

By following these recommendations and staying up-to-date on the latest attacker TTPs through reports like Mandiant's M-Trends, organizations can significantly improve their security posture and better defend themselves against cyber threats.

CloudMile, a leading AI and cloud technology company in Asia, focuses on digital transformation for its corporate clients and driving growth. Leveraging machine learning and big data analysis, CloudMile assists over 900 clients corporates with business forecasts and industrial upgrades. Feel free to contact us and know more about our cloud security offerings. https://mile.cloud/contact