Skip to content

Search the site

5 critical takeaways from FireEye's 2021 threat report.

Exploits beat phishing; hackers love PowerShell; tips on toughening up, and more...

Security firm FireEye has been publishing its global M-Trends threat report every year for 12 years. With over 9,900 customers across 103 countries, including more than 50 percent of the Forbes Global 2000 and as one of the go-to industry firms for incident response, it has something of a unique insight into security trends. The Stack pulled 5 key takeaways about the threat landscape from FireEye Mandiant's 2021 M-Trends report.

1: Exploits outstrip phishing as initial vector

Exploits, or explicit abuse of a software or other vulnerability, have become more common than phishing campaigns as a way to breach target networks.

Where the initial vector of compromise was identified, evidence of exploits was found in 29% of intrusions whereas phishing accounted for 23% of intrusions. Mandiant experts meanwhile saw adversaries used stolen credentials or brute forcing as the initial attack vector in 19% of their investigations.

n.b. The top 10 most exploited vulnerabilities of the past four years include a software bug first reported in April 2012, a 2020 report by the FBI and CISA revealed, in yet another reminder that poor patching regimes/legacy software continue to help facilitate data breaches and other malicious intrusions. Get patching, if possible.

2: Dwell times are falling (but not in EMEA)

FireEye Mandiant's 2021 M-Trends threat report: Dwell times are falling
<p>" class="wp-image-4776"></figure></p>
<!-- /wp:image -->
<!-- wp:paragraph -->
<p>Dwell times -- how long an attacker stays in a compromised network before being either detected or triggering a payload like ransomware -- meanwhile have fallen notably. That, in part, is good news: SOCs or others in the IT function responsible for security increased internal incident detection to 59% in 2020: a notable 12-point increase compared to 2019.</p>
<!-- /wp:paragraph -->
<!-- wp:paragraph -->
<p>Hard numbers? The median dwell time in 2011 was 416 days. In 2021, it had fallen to just 24 days, suggesting a likely combination of several factors including improved endpoint detection and response (EDR) tools, as well strategic decisions by attackers to pull the trigger faster. (EMEA was an anomaly in a global trend of faster detection and/or malware activation, with dwell times increasing from 54 days to 66 days in 2020 on 2019.)</p>
<!-- /wp:paragraph -->
<!-- wp:heading -->
<h2 id=
The malware families most frequently sign by Mandiant in 2020. / Photo by Damir Spanic on Unsplash