Read the report.
Who are today's attackers?
What do they target?
Where do they attack?
How are they found?
652 new threat activity clusters were identified and tracked to 1,900+ distinct entities (including UNCs, FINs and APTs).
More threat groups are using a mix of both public and private tools to accomplish a wider variety of motivations/actions than ever before.
30% of all intrusions had multiple threat groups active in one environment, nearly double compared to 2019.
Many groups specialize in certain phases of the attack lifecycle and form partnerships with other actors to complete their mission.
Infection Vector
DATA THEFT
Over 50% of all intrusions where the initial infection vector was identified started with
an exploit or phishing email.
a) 29% of intrusions, attackers leveraged
exploits to gain access
b) 23% of intrusions, attackers leveraged
phishing to gain access
When are attackers found?
Who are today's attackers?
Read the report.
How are they found?
When are attackers found?
Where do they attack?
What do they target?
Who are today's attackers?
How are they found?
When are attackers found?
Where do they attack?
What do they target?
Who are today's attackers?
63% of MITRE ATT&CK techniques were used by attackers. But only 23% of all techniques were seen in more than 5% of intrusions.
MITRE ATT&CK
UNC: uncategorized threat actor
FIN: financially motivated threat actor
APT: advanced persistent threat group
The most targeted industries continue to remain consistent year over year. The top targeted industries have changed minimally, while their position in the rankings is somewhat fluid. Currently, the top five most targeted industries are professional services, retail and hospitality, financial, healthcare, and high technology.
What do they target?
In 53% of intrusions, adversaries used obfuscation, such as encryption or encoding, on files or information to make detection and subsequent analysis more difficult.
Attackers take advantage of what is available in victim environments, with emphasis on the use of PowerShell (41%), Windows services (31%) and Remote Desktop (25%).
Where do they attack?
MITRE ATT&CK
FINANCIAL GAIN
A Graduated Adversary
A Stealth Supply Chain Attack
UNC2452 (also known as SUNBURST), the supply chain attack with substantial cyber espionage remit, maintained a LOW malware profile with a HIGH tradecraft skillset.
They have a deep understanding of incident response and SOC operations.
UNC2452/SUNBURST also shows that highly sophisticated attackers can be disrupted by the right security methods and attention to detail.
A Stealth Supply Chain Attack
A Graduated Adversary
A Stealth Supply Chain Attack
Financial Gain
Data Theft
38% of intrusions included a component of financial gain including extortion, ransom, payment card theft, illicit transfers, and reselling
access.
In 32% of intrusions, adversaries stole
data and in 9% of cases the data theft
likely supported intellectual property
or espionage end goals.
"FireEye is consistently innovating and enhancing its technologies to address the constantly changing threat landscape. Every update irrefutably demonstrates an understanding of how malware is evolving around the world."
A Graduated adversary
Ransomware continues to surge
This differences in median dwell time is attributed to the value of focusing on individual actors and methods, resulting in effective response and remediation.
Ransomware continues to surge
Over the last decade, global
median dwell time has dropped
from over ONE YEAR to less
than ONE MONTH.
And in the last year alone,
global median dwell time
dropped by just over 50%,
from 56 days to 24 days.
When are attackers found?
59% of organizations detected their own intrusion activity, with the remaining 41% of notifications coming from cybersecurity vendors, government partners, or other organizations—a 12% improvement from our previous report. This confirms the growing improvement of internal detections across all regions. Organizations detecting their own intrusions are typically better prepared for the response and remediation actions required.
How are they found?
Professional Services
Hover over icons
to learn more
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
Financial gain includes extortion, ransom, payment card theft and illicit transfers.
The COVID-19 Effect
• APT32, a Vietnam-nexus espionage actor, targeted campaigns in Beijing and Wuhan,
where COVID-19 was first found.
• APT41, a Chinese state-sponsored espionage actor tried to exploit remote access and
network appliance vulnerabilities in healthcare environments.
Dr. Adrian M. Mayers, Senior Director of Information Security, Vertafore
After the assessment was completed, the customer received tactical and strategic recommendations for immediate and long-term improvements. Due to multiple ineffective controls, the CISO worked closely with Mandiant experts.
Retail and Hospitality
Spokesperson for Financial Services Provider
"The Mandiant team’s analysis of the remaining malware samples showed that the attackers had utilized encryption, anti-forensics, and other techniques to permit their malware to operate in a manner that evaded detection by the bank’s security."
Financial Services
SOC Spokesperson, Global Health Services Provider
"The quality and comprehensiveness of the plan, combined with continuous guidance, ongoing customizations, andhands-on implementation support enabled the rapid realization of meaningful improvements to our worldwide cyber defense."
Healthcare Services
Large Automobile Maker Enriches Its Security Posture
After suffering a harmful breach, this automobile manufacturer committed to maturing its cyber security posture and improving its incident response capability.
To do so, they turned to FireEye.
High Technology
International Retailer Bolsters Security Operations
LEARN MORE:
Read the
customer story
LEARN MORE:
Read the
customer story
LEARN MORE:
Read the
customer story
LEARN MORE:
Read the
customer story
LEARN MORE:
Read the
customer story
Infection Vector
Data Theft
Financial Gain
MITRE ATT&CK
Infection Vector
Data Theft
Financial Gain
MITRE ATT&CK
Infection Vector
Data Theft
Financial Gain
MITRE ATT&CK
Infection Vector
MITRE ATT&CK
Initial Infection Vector (when identified)
OBJECTIVE: Financial Gain
OBJECTIVE: Data Theft
A ransomware intrusion is on average nine times faster than a non-ransomware event.
Ransomware global dwell time is 5 days—significantly faster than last year’s reporting of 72 days.
In 2019, 14% of investigations involved ransomware. In 2020, 25% of investigations involved ransomware—One in every four IR engagements was caused by ransomware; the highest average ever.
1 in 4
9 times
5 days
FOCUS
Internal Detection
External Notifications
|
Global Detection by Source: 2011-2020
Regional Detection by Source: 2019 and 2020
Global
Regional
Global
Regional
Read the report.
Organizations working on COVID-19-related information and research were highly targeted by APT32, APT41 and other threat groups.
Click a tab
to learn more
UNC902 graduated to FIN11, a financially motivated threat group, active since at least 2016 and known for widespread phishing campaigns to deliver malware.
The threat group leveraged a variety of criminal service providers to outsource components of their operations.
FIN11 relies heavily on publicly available offensive security toolsets, but also deploys malware exclusive to the group, such as the FRIENDSPEAK downloader, MIXLABEL and BARBWIRE backdoors, and CLOP ransomware.
Dwell time is calculated as the number of days an attacker is present in a victim environment before they are detected. The median represents a value at the midpoint of a data set sorted by magnitude.
