Mandiant M Trends 2025 Overview

Keypoints

• The report is structured into sections covering introduction, statistical insights (“By the Numbers”), global campaigns and events, targeted industry attacks, ransomware trends, cloud security compromises, threat techniques, regional threat reports, and key articles analyzing specific threats.
• Analyzed data from over 450,000 hours of incident response engagements globally, focusing on threats observed in 2024, providing a robust dataset for understanding evolving attack vectors and attacker’s behaviors.
• Major themes include the increased use of infostealer malware, vulnerabilities in edge devices, and the targeting of unsecured cloud data repositories, reflecting current security hygiene issues and cloud migration risks.
• In 2024, exploits remained the predominant initial attack vector, accounting for 33% of incidents, with stolen credentials and web compromises also being significant causes.
• The financial sector was the most targeted, representing over 17% of investigations, emphasizing industry-specific threat focus.
• Key vulnerabilities exploited include CVE-2024-3400 (Palo Alto Networks), CVE-2023-46805 and CVE-2024-21887 (Ivanti VPN), and CVE-2023-48788 (FortiClient). Many of these were targeted shortly after disclosure, showing the speed of attacker exploitation.
• Dwell time for detections has decreased dramatically over the years, with a median of 11 days in 2024, but a slight increase from previous years, indicating ongoing challenges in rapid detection.
• Threat actor activities are diverse, with over 4,500 identified groups, including nation-state actors from China, Russia, Iran, and financially motivated clusters, reflecting a broad and evolving threat landscape.
• The report underscores the importance of proactive detection, layered defenses, and regular threat intelligence updates to mitigate rising threats such as ransomware, data theft, and cloud compromises.