Security Experts:

Just One-Third of Organizations Discover Breaches on Their Own: Mandiant

Mandiant Releases Annual Threat Report Analyzing Advanced Targeted Attacks

FireEye-owned Mandiant has published the latest release of its Mandiant M-Trends report, which provides analysis on the threats of 2013 and highlights emerging global threat actors and the types of targets and information they have in their sights.

Compiled from threat investigations conducted by Mandiant during 2013, and now in its fifth year, the report details the tactics used by threat actors to compromise organizations and steal data.

According to Mandiant’s findings, organizations are discovering breaches in their networks faster, but still not nearly soon as they must in order to contain damage and prevent loss of sensitive data.

Data Breach Discovery

Based on Mandiant’s investigations, breaches were discovered in 229 days on average in 2013 vs. 243 in 2012. While these improvements are a positive, it still means attackers are still spending 2/3rds of the year inside an organization’s network before being discovered.

“This improvement is incremental relative to the drop from 416 days in 2011, however organizations can be unknowingly breached for years,” Mandiant said. “The longest time an attacker was present before being detected in 2013 was six years and three months.”

Phishing Emails Still a Favorite Attack Tool

If it ain’t broke, don’t fix it, the saying goes, and attackers are living by that motto. In its analysis, Mandiant found that 44 percent of the observed phishing emails aimed to impersonate the IT departments of the targeted organizations. The vast majority of the malicious emails were sent on Tuesday, Wednesday and Thursday, the report said.

The dangers of phishing attacks were also recently highlighted in a report from Symantec. Approximately one in three organizations in the mining, government and manufacturing sectors were hit by at least one spear-phishing attack during 2013, according to Symantec’s recently released Internet Security Threat report. The government sector alone was the target of 16 percent of spear-phishing blocked last year, Symantec said. 

According to Mandiant, other key findings from its “Beyond the Breach” report include:

Organizations in general are yet to improve their ability to detect breaches - In 2012, 37 percent of organizations detected breaches on their own; this number dropped to just 33 percent in 2013.

Political conflicts increasingly have cyber components that impact private organizations - Over the past year, Mandiant responded to an increased number of incidents where political conflicts between nations spawned cyber attacks that impacted the private sector. Specifically, Mandiant responded to incidents where the Syrian Electronic Army (SEA) compromised external-facing websites and social media accounts of private organizations with the primary motive of raising awareness for their political cause.

Suspected Iran-based threat actors conduct reconnaissance on the energy sector and state governments - Multiple investigations at energy sector companies and state government agencies of suspected Iran-based network reconnaissance activity indicates that threat actors are actively engaging in surveillance activities. While these suspected Iran-based actors appear less capable than other nation-state actors, nothing stands in the way of them testing and improving their capabilities.

“It is hard to overstate how quickly cybersecurity has gone from a niche IT issue to a consumer issue and boardroom priority,” said Kevin Mandia, SVP and COO at FireEye. “Over the past year, Mandiant has seen companies make modest improvements in their ability to attack the security gap. On the positive side, organizations are discovering compromises more quickly, but they still have difficulty detecting said breaches on their own. It is our focus to bridge that gap and continue the positive trends our customers are seeing.”

The full report is available online in PDF format. 

Related Reading: Preparing for the Inevitable Data Breach

view counter
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.