Executive Summary

Over the past 10 years, we covered many different topics in our M-Trends® reports, including a primer on the exploitation life cycle, how attackers were hiding their activities, malware trends and case studies providing technical details into many of the investigations we performed.

On the surface, not much has changed over the past 10 years. 2018 was much like 2017, and 2017 like the preceding years. We continue to see large impactful incidents, though fewer high-profile public disclosures. Extortion cases are on the rise, assisted by cryptocurrency and other forms of non-attributable payment. Cryptocurrencies are also directly targeted via wallets, payment systems and miners.

The significant trends or shifts we saw in 2018 were:  

  • A significant increase in public attribution performed by governments. Recent years have seen a significant increase in private sector attribution of attack activity, but the past year saw a significant number of attacks publicly attributed by way of indictments from the U.S., U.K., Netherlands and Germany. Some of these were assisted by data from private sector companies such as FireEye. Governments have not changed their operational rules of engagement, but they are combating threats publicly through indictments.  
  • As more and more customers move to software as a service and cloud, attackers are following the data. Attacks against cloud providers, telecoms, and other organizations with access to large amounts of data have increased.

M-Trends 2019 looks at some of the latest trends revealed through FireEye incident response investigations by FireEye Mandiant. These include evolving APT activity in various regions, phishing risks during mergers and acquisitions, and some defensive trends that we consider best practices.

We also answer the question that everyone asks: As an industry, are we getting better at detecting threat actors? We are quite pleased to announce that the answer is a big yes. From October 1, 2017, to September 30, 2018, the global median dwell time was 78 days. That means attackers are operating for just under three months, on average, before they are detected. That’s roughly a quarter of the global median dwell time of 101 days in last year’s report—a modest improvement.

It wouldn’t be M-Trends if we didn’t include a variety of case studies to demonstrate exactly what we saw in the field that enabled us to provide the information in this report. This year, we show how early identification is key by diving into an incident involving attacker activity now attributed to the threat group TEMP.Demon. We also discuss an incident at a Southeast Asia-based international telecommunications company that started with an extortion email sent from the CEO’s work account by an attacker.

When we launched our first M-Trends report 10 years ago, we had one primary goal—and that hasn’t changed: to arm security teams with the knowledge they need to defend against today’s most often used cyber attacks, as well as lesser seen and emerging threats.

Full report: https://content.fireeye.com/m-trends