Filter articles

General 28.04.2025

Mandiant Mtrends & Verizon DBIR Report Overview

Author: Nick Harris, CISO in Residence, Assured

Mandiant, Crowdstrike, Verizon, NCSC and others have all released their 2025 reports over the last few weeks. Lets save you all that reading time. My name is Nick Harris, and I’m the CISO in Residence at Assured

We’ve analysed them all to find the key points highlighted changes, trends and techniques with ransomware, credential theft, and vulnerability exploitation hitting businesses hard. There’s a lot of findings for us to share. In particular, there are 5 points they all agree on:

Credential Theft and Infostealers:

  • Verizon’s DBIR notes 46% of infostealer logs involve non-managed devices despite businesses saying key apps were restricted to corporate devices.
  • Crowdstrike reports 79% of breaches are malware-free, leveraging stolen credentials and living-off-the-land techniques to evade detection.
  • Mandiant reported 54% of ransomware victims having domains in credential dumps despite thinking they have no data leakage, highlighting the need for proactive monitoring. 

“We are at higher risk of compromise from credential abuse and cloud misuse than from traditional malware.”

Patching and Vulnerability Management:

  • Verizon DBIR indicates vulnerabilities are initial access vectors in 20% of breaches, up from 15%, with Mandiant noting 42% of intrusions involve exploits.
  • Attackers exploit zero-days in 11 days, while 54% of zero-days remain unpatched after 32 days (Sophos Annual Report). This shows we’re 21 days too slow.
  • Untracked or misconfigured assets are frequent targets, with SMBs suffering due to limited patching resources (NCSC Cyber Breaches Survey).

Ransomware requires active monitoring to mitigate:

  • Ransomware is present in 44% of breaches (Verizon DBIR), with 31% of Mandiant’s reported intrusions involving ransomware and 67% including data extortion.
  • Attackers deploy ransomware in just 2 days, exploiting perimeter devices and zero-days, especially via poorly monitored MSPs (Mandiant).
  • SMBs are disproportionately impacted due to insufficient 24/7 monitoring, despite having preventative controls (UK Cyber Breaches Survey).

So, with the conclusion of these reports what should you be telling the board?

  • “We are at higher risk of compromise from credential abuse and cloud misuse than from traditional malware.”
  • “Our response time must match or beat the attackers’—we need EDR, logging, and skilled responders.”
  • “Supply chain and SME partners are now prime targets—security doesn’t end at our firewall.”
  • “Threats are becoming stealthier and more financially driven—we must plan not just for attacks, but for business disruption.”

What should we be doing?

  1.  Implement continuous vulnerability scanning, enforce tight patching SLAs (automated where possible), and aggressively discover assets to ensure hardening compliance.
  2.  Deploy in-browser IAM monitoring to detect password re-use and takeover attacks, enforce phishing-resistant MFA (e.g., hardware-based), and strengthen conditional access policies. Ensure your EDR is configured for abnormal uses of PowerShell, RDP, etc
  3. Maintain immutable, offline backups with regular integrity tests, prioritize active 24/7 monitoring (in-house or via MDR/MSSP), and avoid reliance on tools alone.

Ex-CISO at Holland and Barrett, and manager at Deloitte, with over 10 years experience of leading complex cyber and privacy programs. Nick has held privacy office roles and led the implementation of end-to-end ISO27001 projects for a large number of organisations.”  

Topics

Latest articles

Be an insider. Sign up now!