Skip to content
Information Technology

Mandiant’s M-Trends Report Reveals New Insights from Frontline Cyber Investigations

Mandiant 3 mins read

Global median dwell time falls to its lowest point in over a decade; Financial Services is the most targeted sector by attackers


Mandiant, part of Google Cloud, has released the findings of its M-Trends 2024 report. Now in its 15th year, this annual report provides expert trend analysis based on Mandiant frontline cyber attack investigations and remediations conducted in 2023. The 2024 report reveals evidence that organisations globally have made meaningful improvements in their defensive capabilities, identifying malicious activity affecting their organisation more quickly than in previous years. The report also takes a look at notable threat actors and campaigns, providing a focused look at threat activity by region.


View File Download File

M-Trends Report


"Attackers regularly adjust their tactics, techniques, and procedures in order to achieve their objectives, which can be challenging for defenders. Despite this, our frontline investigators have learned that organisations have done a better job in 2023 at protecting systems and detecting compromises," said Jurgen Kutscher, Vice President, Mandiant Consulting at Google Cloud.

Kutscher continued, "Defenders should be proud, but organisations must remain vigilant. A key theme throughout M-Trends 2024 is that attackers are taking steps to evade detection and remain on systems for longer, and one of the ways they accomplish this is through the use of zero-day vulnerabilities. This further highlights the importance of an effective threat hunt program, as well as the need for comprehensive investigations and remediation in the event of a breach."

Global Median Dwell Time Hits Lowest Point Recorded

While the use of zero-day exploits is on the rise, the M-Trends 2024 report reveals a significant improvement in global cybersecurity posture. The global median dwell time – the time attackers remain undetected within a target environment – has reached its lowest point in over a decade. In 2023, organisations detected intrusions within a median of 10 days, a notable decrease from 16 days in 2022.

Shorter dwell times are likely driven by a larger proportion of ransomware incidents in 2023 (23%) versus 2022 (18%). Mandiant also tracked an improvement in internal detection of compromise in 2023 (46%), compared to 37% in 2022. These two trends - shorter dwell times and more internally detected events - suggest that defenders globally have improved detection capabilities.

Dwell Time By Region

A closer examination reveals that median dwell time varies by region. Organisations in the Asia-Pacific (JAPAC) region experienced the most dramatic decrease, reducing their median dwell time to 9 days, compared to 33 days in 2022. This variation could be driven by the quick moving ransomware used in the incidents in the region, as ransomware-related intrusions consumed the highest majority for the investigation type compared to any other region in 2023.

Conversely, the EMEA region (Europe, the Middle East and Africa) saw a slight rise in dwell time, increasing from 20 days to 22 days. This small variation could be the result of regional data normalising following the notable portion of Mandiant's work in Ukraine in 2022.

Targeting By Industry Vertical

The M-Trends 2024 report highlights key trends in industry targeting by cyber attackers. Mandiant most frequently responded to intrusions at financial services organisations (17%) in 2023. Following this sector were business and professional services (13%), high technology (12%), retail and hospitality (9%), and healthcare (8%).

A common thread across the top targeted industries is their possession of a wealth of sensitive information, including proprietary business data, personally identifiable information, protected health information, and financial records. This makes them particularly attractive targets for attackers seeking to exploit this type of sensitive data.

Additional report takeaways include:

  • Increased Focus on Evasion: In an effort to maintain persistence on networks for as long as possible, attackers are increasingly targeting edge devices, leveraging "living off the land" techniques and exploiting zero day vulnerabilities.


  • Heightened Espionage Efforts by China-Nexus Actors: China-nexus espionage groups are continuing to prioritise acquiring zero-day exploits and platform-specific tools. They will likely target edge devices and platforms with minimal security solutions due to the ease of compromising them undetected and for a longer period of time.


  • Zero-Day Exploits on the Up-and-Up: Zero-day exploits are no longer limited to a few, select actors. The trend of increasing availability is expected to continue due to factors like ransomware and data extortion groups utilising them, continued state-sponsored exploitation, and the rise of commercially available "turnkey" exploit kits. For more on how threat actors are using zero days, check out Mandiant and Google Threat Analysis Group's first-ever joint report on the topic.


  • Cloud Targeting Aligns with Adoption: As cloud adoption grows, so does attacker targeting of these environments, including hybrid cloud/on-premise configurations. Organisations are advised to implement stricter controls to limit access to cloud resources by only authorised users.


  • Potential for Red Teaming with Large Language Models (LLMs) and AI: Like other cybersecurity professionals, Red Teams can leverage LLMs and AI in their work. Use cases could involve Red Teams generating data for model training while AI developers find ways to secure access to trained models. This synergy could significantly enhance Red Team effectiveness and improve organisational preparedness against cyber threats.


  • Evolving Tactics to Bypass MFA: As multi-factor authentication (MFA) becomes standard practice, attackers are developing methods to circumvent its protections. A concerning trend is the rise of web proxy and adversary-in-the-middle (AiTM) phishing pages that steal login session tokens, effectively bypassing MFA.

More from this category

  • Business Company News, Information Technology
  • 17/05/2024
  • 11:37
UNSW Institute for Climate Risk & Response

How AI can revolutionise the global fast fashion industry

New research shows artificial intelligence (AI) can reduce fast fashion's carbon footprint by improving supply chain efficiencies. The fast fashion industry is one of the world’s biggest polluters. Employing some 75 million people and valued at over US$2.5 trillion (A$3.8 trillion), it is responsible for about 10 per cent of global carbon emissions. The evidence is clear: the industry must embrace more sustainable business practices. The findings of a new study, co-authored by the UNSW Institute for Climate Risk & Response, have shown that AI-driven technologies can be harnessed for climate action and significantly advance environmental and market performance. The…

  • Contains:
  • Information Technology
  • 17/05/2024
  • 09:44

Intermodal Terminal Company (ITC) Chooses Hexagon to Deliver Groundbreaking Australian Rail Terminal

MELBOURNE, AUSTRALIA / ACCESSWIRE / May 15, 2024 / Hexagon's industry-leading asset management solution HxGN EAM, in collaboration with The APP Group, a leader in property and infrastructure advisory, has been chosen by Intermodal Terminal Company (ITC), an Australian intermodal rail terminal operator and owner, for its groundbreaking Somerton Intermodal Terminal project Intermodal Terminal Situated in the outer suburbs of Melbourne, Victoria, the innovative 45-hectare terminal represents one of Australia's most advanced rail infrastructure developments currently under development. Upon completion, it will claim the title of the country's largest intermodal terminal ever built and make history as the first fully…

  • Information Technology
  • 16/05/2024
  • 21:07
Plug Power, Inc.

Plug Signs 3 GW BEDP Contract with Allied Green Ammonia for Electrolyzer Project in Australia

Supporting its growth targets, Plug brings its total BEDP global contracts to 7.5 GWLATHAM, N.Y., May 16, 2024 (GLOBE NEWSWIRE) -- Plug Power Inc. (NASDAQ: PLUG), a global leader in comprehensive hydrogen solutions for the green hydrogen economy, announced the signing of a Basic Engineering and Design Package (BEDP) with Allied Green Ammonia (AGA), an Australian company focused on green ammonia production, for a three-gigawatt (GW) electrolyzer plant supplying hydrogen to AGA’s planned ammonia facility proposed for the Northern Territory of Australia.Plug’s BEDP offering is instrumental for project owners like AGA to support their Front-End Engineering Design (FEED) and incorporate…

Media Outreach made fast, easy, simple.

Feature your press release on Medianet's News Hub every time you distribute with Medianet. Pay per release or save with a subscription.