Security Experts:

Breach Detection Time Improves, Destructive Attacks Rise: FireEye

In its seventh annual Mandiant M-Trends report, FireEye-owned Mandiant said that organizations are improving on the time it takes to detect a security breach.

While the positive news on improved breach detection is exciting in the current days of cyber doom and gloom, Mandiant also found an increase in the number of destructive attacks hitting organizations.

What is most interesting about the M-Trends report, is that the data is compiled from actual incidents---not surveys. In other words, this is real-world data and details discovered during the process of investigating incidents across hundreds of clients, many from high profile organizations.

According to the just released report (PDF), the median number of days that attackers were present on a victim’s network before being discovered dropped to 146 days in 2015 from 205 days in 2014—a trend that shows positive improvement since measuring 416 days back in 2012. However, breaches still often go undetected for years, Mandiant reminded.

The breach investigations firm found that during its investigations, responders saw incidents where attackers destroyed critical business systems, leaked confidential data, held companies for ransom, and taunted executives. Some attackers were motivated by money, some claimed to be political retaliation, and others were to cause embarrassment, the report said.

“Disruptive attacks were once considered an implausible worst-case scenario for many companies and were typically not planned for by executives,” the M-Trends report said. “Put simply, no one previously expected to have half the workforce lose access to their computers within a short amount of time. However, public events over the last few years have altered the notion of what comprises a worst-case scenario.”

With disruptive attacks now a legitimate threat, enterprises need begin planning and preparing accordingly, Mandiant says.

Disruptive cyber attacks can be those that hold data for ransom (such as CryptoLocker), hold a company for ransom (stealing data and threatening to release it), delete data or damage systems, add malicious code to a source code repository, or modify critical business data in the hope that it does not get discovered.

“We’ve investigated multiple incidents where attackers wiped critical business systems and, in some cases, forced companies to rely on paper and telephone-based processes for days or weeks as they recovered their systems and data,” the report said. “We have even seen attackers wipe system backup infrastructure in an effort to keep victims offline longer.”

Responding to these disruptive attacks can be challenging, Mandiant says.

“Unlike breaches where a containment plan may be able to stop an attacker from stealing more information, in these disruptive instances the damage may have already been done by the time the attacker contacts the victim organization. Therefore, a different response to these incidents is required.”

In the report, Mandiant provided details and insights on how organizations can prepare for and deal with disruptive attacks.

Another interesting trend in 2015 was an increase in attackers attempting to exploit networking equipment during targeted and persistent campaigns.

“We’ve seen attackers compromise these devices in order to maintain persistent access, to change security security access control lists (ACLs) to grant access to a protected environment, for reconnaissance purposes, and for network traffic disruption,” Madiant said.

The report also highlights that stolen credentials continues to be an issue and ongoing threat.

Leveraging third-party service providers to gain access to a victim organization is also a favored technique to gain initial access, Mandiant says, because often the service provider’s security posture is less than that of the victim organization.

Mandiant said that its Red Team was able to to obtain access to domain administrator credentials within three days, on average, of gaining initial access to an environment.

“Once domain administrator credentials are stolen, it’s only a matter of time before an attacker is able to locate and gain access to the desired information,” Mandiant said.

“In 2015, we continued to be reminded that there is no such thing as perfect security,” said Kevin Mandia, SVP and president, FireEye. “Based on the significant number of incidents that Mandiant investigated in 2015, threat actors are finding inventive and disruptive ways to skirt even the best defenses, resulting in informational, financial and reputational loss.”

As is the case with Verizon’s annual Data Breach Investigations Report (DBIR), Mandiant’s M-Trends report should be considered required reading for any mid to large size enterprise. The “from the trenches” report is valuable because these are real world incidents that defenders can learn from.

“Numbers always tell a story, but it’s the interpretation of those numbers that holds the real value,” the report concludes. 

view counter
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.