Explore this and other key cyber trends encountered by one cybersecurity firm’s incident response operations in 2024

Based on its incident response and investigation metrics* conducted between 1 Jan 2024 and 31 Dec 2024, a cybersecurity firm has rounded up some key cyber statistics for the period.

First, the 12-month data indicated that attackers were seizing every opportunity to further their objectives, through: Infostealers malware, the targeting of unsecured data repositories, and the exploitation of gaps and risks (e.g., supply chain risks) introduced as organizations continue their migrations to the cloud.

Second, the financial sector continued to be the most targeted industry, with the global median dwell time rising to 11 days from 10 days in similar data analyses for 2023 (compared to 16 days for 2022).

Other key findings

Third, the number of financially-motivated actors rose, while the number of espionage incidents dipped: 55% of threat groups active in 2024 data were financially motivated: a steady increase from 52% in 2023 and 48% in 2022. About 8% of threat groups in the data were motivated by espionage: a slight decrease from 10% in 2023 data analyzed. Also:

• Ransomware trends: The most commonly observed initial infection vector for ransomware-related intrusions, when the vector could be identified, was brute-force attacks. Password spraying, virtual private network (VPN) devices compromised through default credentials, and high-volume Remote Desktop Protocol (RDP) login attempts were examples of the types of brute-force attacks investigate in 2024.
• Stolen credentials reached a new high: The most common initial infection vector was exploits (33%) for the fifth consecutive year. Stolen credentials (16%) rose to the second most common in 2024, marking the first time this vector has reached this level. The remaining top five vectors included email phishing (14%), web compromises (9%), and prior compromises (8%).
• Infostealer malware becoming a foundational threat: These malware families were often distributed through infected personal and contractor devices, leading to a record high in stolen credentials as an initial infection vector, and driving surges in credential-based attacks and cloud/SaaS breaches.
• The most frequently targeted industries: Financial (17.4%), business and professional services (11.1%), high tech (10.6%), government (9.5%), and healthcare (9.3%). These targeting trends were mostly consistent with data from prior years.
• Provenance of incident discovery: In 2024, external sources first alerted organizations of a compromise 57% of the time, and 43% of the time it was identified internally. External notifications are divided into 43% from entities such as law enforcement and cybersecurity vendors, and 14% from adversaries, often in the form of ransom notes. 
• Other notable trends in the 2024 data: North Korean IT workers posing as remote contractors to gain insider access; Iranian threat actors ramping up destructive and espionage operations —particularly against Israeli targets — and China-nexus groups exploiting zero-day vulnerabilities and edge devices to evade detection. Also, threat actors in 2024 usually gained access to targeted systems through brute-force attacks, third-party-access [supply-chain] compromise, social engineering voice calls (voice phishing or vishing), SIM swapping, and Bring Your Own Device (BYOD) such as infected USB storage devices.

According to Vivek Chudgar, Managing Director, Mandiant Consulting (JAPAC), the firm that reported on its 2024 incident data trends: “As financially motivated threats grow more sophisticated, our collective resilience depends on proactive threat intelligence, faster detection, and a relentless focus on closing security gaps before adversaries can exploit them.”

*declared as “data collected from more than 450k+ hours of incident response engagements globally”, across the USA, JAPAC and EMEA regions