Auxiom Logo Outsmart Chaos Gold

Mandiant M-Trends 2024 Report

Play Video about Golden Nuggets Thumbnail #7

Dive into the latest insights on cybersecurity with our Chief Information Security Officer, Earl Duby, as he delves into the findings of the Mandiant M-Trends 2024 special report. In this discussion, Earl unpacks the key trends, emerging threats, and strategic recommendations outlined in the report, providing insights for businesses and cybersecurity professionals alike. 



(0:00)  I’m Earl Duby. I’m the CISO at Auxiom 

And, you know, I’ve been coming to you (0:06) every week with different little tidbits and things of interest that I thought would be helpful to you.  

(0:11) as you try to secure your organizations and defend your businesses.  

(0:17) One of the things that I look forward to every year are these reports that come out from large security companies.  

(0:24) So you have the Verizon Data Breach Investigations Report. 

You have, you know, different things that come out throughout the year.  

(0:29)One of my favorites is the M-Trends Report, which comes out, historically, it’s come out by a company called Mandiant.  

(0:41) And recently, Mandiant was purchased by Google Cloud Security. 

(0:46) So now the report is actually coming out from Google Cloud Security, and it’s got the Google colors on it. So, it’s all nicely branded for Google. But luckily, the content is still coming from Mandiant. 

(0:53) So I look forward to this kind of the way that in the old days, people looked forward to Harry Potter books coming out, because there’s always some good information in here.  

(1:05) So there’s five things I want to go over with you today that I pulled out of this report. 

(1:10) And I really think you should read it all the way through, because there’s a lot of good things in there beyond what I want to talk about. 

(1:18) But in the short amount of time that I have with you,  before I lose you to Netflix or whatever, I want to go over some things that I thought were important. 

(1:25) So the first one, and we’ll put the chart right here so that you can kind of follow along as I’m talking through this, but the first is the notification source for businesses. (1:38) So this is basically talking about how businesses are notified that they’re having a security breach or a security incident. 

(1:52) And what Google is saying for the year of 2023, which is where all this data is coming from, and this is all data from incidents that Mandiant has responded to. 

(1:59) So this isn’t totally representative of everything in the world.  

(2:05) This is representative of the thousand plus incidents that Mandiant responded to last year. 

(2:12) And of those incidents that they responded to, in a ransomware situation, as you can see here, 70% of companies were notified by external parties, and only 30% were self-identified, which makes sense for ransomware, because obviously the ransomware actor wants you to know that you’re being ransomed, and so typically the detection source is going to be the ransom note or whatever.  

(2:42) But what I thought was interesting is the second half of this chart, which says in a non-ransomware situation, 50% of companies are still being informed by external parties. 

(2:57) So you think about what that means. 

(3:05) That means the FBI is coming to your lobby to tell you that they’ve detected that your company is under attack, or your data has been leaking out into the dark web,  

(3:12) or some other bad thing is happening to you that you are completely unaware of. 50%, not knowing that, that’s a pretty telling statistic.  

(3:28) And I think this is where we’re always talking about detection and response, and we’re talking about having proper tools installed in your company, so whether that’s vulnerability management, so that you can manage those vulnerabilities, or endpoint detection and response, 

(3:44) so that you can detect when these bad things are happening. 

(3:52) We really want to see these numbers not 50-50, but it really should be 90-10, where 90% of people are figuring this stuff out with their own technology and their own people and their own tools, and so I think it’s still disappointing that we’re at 50-50. 

(4:05) Another thing that I would like to go over is on, you know, page 12 of this report, it’s just the industries that are being targeted. 

(4:19) You know, at the top of the list, you can see it here, you know, financial services, they’ll probably be at the top of the list for eternity, you know, just because that’s where the money is at. 

(4:31) They also, you know, make just very good targets since they’re large and global and things like that, or they’re small and not well defended. 

 (4:37) But in any case, they have lots of customer data, lots of money, and so they will probably always be at the top of that list.  

(4:51) But there’s some other interesting statistics in here, like engineering firms, you know, this is something that we’re spending a lot of time on here at Auxiom, is just how do we defend engineering firms, because they have a lot of data, and I think there’s a going to be a blog post coming out pretty soon from us around just how engineering firms should be defending their data. 

(5:06) You know, and this shows here that, you know, eight percent of all of the incidents that Mandiant responded to were affecting construction and engineering companies, 

(5:18) so it’s not like you can hide from this crime that’s happening if you’re an engineering firm. 

(5:23) You know, and typically speaking, they have a lot of data, a lot of very critical customer data, and, you know, need to defend that data better. 

(5:40) So take a look at that and see where your industry is at on the list, because chances are it’s not zero, so whatever industry you’re in is on this list, so hopefully you’re preparing for that. 

(5:51) The third thing that I’d like to go over is just the initial infection vector. So how are the bad things coming into your environment?  

(5:57) You know, typically we think about phishing and, you know, this old AuxiomAxiom that the, you know, your employees are your weakest link, you know, that always plays into this phishing attack vector,  

(6:09) but if you look at this chart, phishing isn’t even the number one attack vector that Mandiant saw.  

(6:16) They’re seeing exploits, and a lot of that is, you know, driven last year. 

(6:24) We had the Move-It vulnerability that affected a ton of companies, and so those types of things obviously drive up the number, but, you know, this really gets us directly into the idea of vulnerability management.  

(6:37) So one of my favorite topics, and if you see me anywhere, you know, I will always be talking about vulnerability management, because I think it’s much better to prepare for things ahead of time than to just be reacting to badness.  

(6:58) So, and this just shows you why it’s even more important, is if 38 percent of the incidents that Mandiant was dealing with were caused by an exploit, not through phishing or not through stolen credentials, but through actual either misconfigurations or unpatched systems or just things that could have easily been taken care of if you did proper hygiene, you know, 

(7:25) this tells you that you really need to get out in front of that, use vulnerability management, scan your environment, find out where those gaps are at, and fix them. 

(7:30) It’s much quicker and much easier to take care of it then than to go through a fire drill of an incident.  

(7:43) If you move on to page 18, this one I thought was interesting because, you know, everyone’s always asking me, like, why is security getting so much more complicated, or why don’t the things that I did five years ago still work, or why is my investment constantly not good enough and I have to keep investing more in security?  

(8:02) Well, take a look at this chart right here, and this is why it’s so challenging for us as defenders to stay ahead of this.  

(8:09) And again, this is just Mandiant incidents, you know, this is not global incidents that all responders responded to, and Mandiant is tracking 719 new threat groups. 

(8:26) So, just in 2023 alone, there are 719 additional threat groups that they are looking at that they weren’t looking at the year before.  

(8:32) And of those 719, they saw 316 roughly that actually, so of those thousand and some incidents that they had, they were driven by 316 threat groups, 220 of those were new.  

(8:54) So, that just shows, like, the money is so big right now in cybercrime, it is sucking in anybody and everybody who has a nefarious bone in their body that’s looking for money. 

(9:10) They’re getting pulled into cybercrime, and these numbers are just astounding. If you think about it, just how do you stay ahead of this? 

(9:21) You know, you’re constantly going to have to evaluate your environment, you’re going to have to constantly be investing to stay ahead of this, because all these new people are bringing in innovative ideas, they’re figuring out how to get around our defenses, they’re getting around, you know, the people we have in places, the technology we have in place.  

(9:36) So, the blue team, the good guys, have to constantly be innovating to stay ahead of the adversaries, who obviously are also driven quite a bit by money. 

(9:55) So, that is on page 18,  and then the last thing I wanted to bring up is a little bit later in the document, because they have all these statistics at the front, but then there’s also some really good articles at the back of the report, and one of those articles talks about multi-factor authentication, and,  

(10:10) you know, typically in any situation where you’re worried about credential theft or even phishing, things like that, multi-factor is probably one of your best ROI defensive mechanism.  

(10:27) you can put in place, because it does prevent a boatload of attacks, and it’s relatively cheap, but even MFA has some concerns if you’re not doing this right, and again, this just shows the way that the adversary is progressing. 

(10:42) So, five years ago, you know, it was pretty exciting stuff when we could just get a pop-up that says, hey, are you trying to access this system, yes or no, and you’d hit yes, and then boom, your MFA would kick in and allow you into that system.  

(11:00) You know, that was great, you know, that solved a ton of crime until the criminals figured out, like, hey, let’s just send people a bunch of login requests until we give them MFA fatigue, and they’ll just hit yes to make the pop-ups go away. 

(11:18) So now, just yes, no doesn’t work anymore, so a great thing from five years ago is kind of a not great thing today. So instead, what you need (11:25) to do is put your codes in. 

(11:32) So, you know, pop up the three-digit code or whatever, so that you actually have to know what system you’re trying to log into to get the code to put it into your MFAto get the access. 

(11:39) So, you know, there’s a pretty good article at the back of the report. 

 This chart I’m looking at is on page 75. Take a look at that, and if you’re still using the yes, no MFA, let’s try to implement the code and, you know, improve your defenses there. 

(12:00) So that’s just kind of in a nutshell, you know, what I think, you know, I like the report. Again, I was excited to get it, I was excited to read it, and I wanted to share it with you guys because I was so excited about reading it. 

(12:10) So hopefully you can download it, take a look at it. 

(12:15) If you have any questions, reach out to me and we can talk through it. Other than that, enjoy the report and have a good day. Thanks. 


  • Earl Duby

    Earl Duby is a proven cyber security leader with over 25 years of experience leading security teams in multiple industries, ranging from large financial services companies to Fortune 150 manufacturers. Recently, Earl spent 6½ years as the Chief Information Security Officer (CISO) for Lear Corporation in Southfield, Michigan. Before that, he was Vice President of Security Architecture for Synchrony Financial as it spun off from General Electric. Earl has held several other security leadership roles and has earned Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Fraud Examiner (CFE), Certificate of Cloud Security Knowledge (CCSK), SABSA Certified Foundation and Certified Information Systems Auditor (CISA) certifications.