Kevin Beaumont
Google’s M-Trends 2025 report is out - data from Mandiant’s incident response engagements. Direct PDF link to avoid the sales pitch wall:
https://services.google.com/fh/files/misc/m-trends-2025-en.pdf
Thread about my main observations:
- Firstly, no mention of generative AI or GenAI again. This is in common with Sophos incident response, ESET, etc etc etc. You’ll see why as we get into the data.
Kevin Beaumont
Exploitation was the primary entry method into orgs, although it declined slight YoY due to the rise of infostealers.
Three of the four most exploited vulns were zero days, all were in cybersecurity products (Palo-Alto, Ivanti Connect Secure, Ivanti Policy Secure and Fortinet). In most of the cases documented, it was ransomware groups running rings around security vendors, ie the security vendors were the cause of the victims woes due to defective products.
Kevin Beaumont
“The majority of organizations, 57%, first learned of a 2024 compromise from an external source.
External notifications can be further divided into adversary notifications and external entity
notifications. Adversary notifications typically take the form of ransom notes”
Detection = oh no, we got hosed for a majority of orgs still.
Kevin Beaumont
Dwell time - the time between initial access to incident response (ie notification or detection) rose slightly YoY. Attackers typically in environment for 11 days.
Do not believe the headlines around ‘ransomware deployed in 1 hour using AI!!!1!’ - every single incident response org data shows you usually have a week for detection and response before ransomware deployment. You can detect and respond - do it, don’t buy the magic cyber beans.
Kevin Beaumont
35% of Mandiant engagements are financially motivated, ie ransomware or just extortion without ransomware deployment. Basically in line with prior years.
Kevin Beaumont
Beacon aka CobaltStrike usage is falling off a cliff.
Kevin Beaumont
Ransomware initially entry: brute forcing VPNs with no MFA, infostealer stole creds, exploits.
Fixes: deploy MFA 100% of time, apply patches in a timely manner to network border appliances, swap VPN vendors to one which doesn’t suck.
Kevin Beaumont
49% of orgs found out they had a ransomware actor when the ransomware actor deployed the ransomware. Only 30% detected it internally - ie read their alerts and contained it.
The other 21% found out because somebody externally told them somebody was active on their network (eg law enforcement, CISA, NCSC etc).
Key lesson - read the alerts. If you can’t afford to read the alerts, don’t buy the products, get an MSSP.
Kevin Beaumont
Worth noting that the dwell time for ransomware groups discovered by internal teams is 29 days - properly resourced internal teams can give you the ability to intervene early and say the company having open heart surgery later.
Kevin Beaumont
Info stealers make about 16% of incidents. Example here around Snowflake (which backs up my thread about Snowflake from the time… it’s a happy little cyber incident).
Answer = MFA everything people access. Snowflake now mandates MFA for all customers and users.
Kevin Beaumont
Translation with this one - everybody is busy worrying about AI while all their documentation about their systems and risks are in JIRA, Confluence, SharePoint etc that attackers just read.
“Mandiant security assessments often identify sensitive data residing in readily accessible document repositories.
Network file shares, SharePoint sites, Jira instances, Confluence spaces, and GitHub repositories often contain
a wealth of valuable information”
Todo: limit access to those who need the info
Kevin Beaumont
And that’s a wrap, the report is worth a read. You should balance it out with something like Sophos yearly report too - Mandiant is expensive, Sophos has SMB data.
The long story short about why GenAI is missing from all of the data is vendors have blown the threat wildly out of proportion - AI is porn for execs - and why build a rocket launcher when you can just pick up the key from under the front door mat. Concentrate on security fundamentals, threat actors want you to be distracted.
Joel Michael
@GossiTheDog “swap VPN vendors to one that doesn’t suck” LMAO there isn’t one
Kevin Beaumont
One other note - you may say ‘but Kevin, the incident response data wouldn’t know about GenAI phishing!’.
Mandiant’s data shows phishing as initial access has dropped for the past 3 years in a row. It’s almost halved since execs hit the GenAI juice.
Sophos data shows same, phishing only 6% of incidents now.
Stop being drunk on sales pitches.
Kobold
@GossiTheDog I just logged into #snowflake, no MFA required.
Did #snowflake force legacy instances to use #mfa? Do you know?
Wendy Nather
@GossiTheDog If the fundamentals were easy, we would have solved them by now. We need a lot more work in this area.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.