Virtual Event Now Live: Cloud Security Summit | July 17 - Access Livestream
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Advanced Attackers Step up Recon Efforts, Mandiant Reports

Sophisticated attackers are expanding their reconnaissance methods to gain an advantage in their quest to compromise data.

According to a new report from Mandiant entitled ‘Attack the Security Gap’, attackers are starting to target data related to network infrastructure, processing methodologies and system and administration guides in order to gather information they can use to exploit networks and system more efficiently.

Sophisticated attackers are expanding their reconnaissance methods to gain an advantage in their quest to compromise data.

According to a new report from Mandiant entitled ‘Attack the Security Gap’, attackers are starting to target data related to network infrastructure, processing methodologies and system and administration guides in order to gather information they can use to exploit networks and system more efficiently.

“While basic reconnaissance of victim networks is nothing new, over the last year we have seen evidence of attackers expanding the type of reconnaissance activities they perform and utilizing more sophisticated tools and tactics to map victims’ networks,” the report notes. “In addition to network mapping, we saw multiple instances where the first documents the attackers stole were related to network infrastructure, processing methodologies and payment card industry (PCI) audit data. The attackers also took various system administration guides to identify human targets and to further scope the victim networks. We have also seen instances where the attackers opened native Microsoft tools (such as dns.msc) to gather the reconnaissance data they needed.”

This information can be used to identify network and system misconfigurations that can be exploited to gain additional access within the victim’s network, according to the report.

Once sophisticated attackers are inside an organization, they burrow themselves deep into networks and often go undetected. According to the report, attackers spend an estimated 243 days on a victim’s network before they are discovered. Though this is 173 days fewer than in 2011, many organizations remain compromised for years before a breach is detected, Mandiant noted.

“During our investigations in 2012, we found an increase in the number of outsourced and managed service providers who were compromised and used as a primary access point for attackers to gain entry to their victims’ networks,” according to the report. “We have worked with clients who were both the compromised outsourced service provider and the compromised clients who employ these services.”

“In many instances, the attackers initially gained access to the service provider solely as a means to find a way into their real target – the client of the service provider. In those cases, we have seen the attackers compromise the first victim – the outsourced service provider – gather the intelligence they need to facilitate their compromise of the second victim, and then lay dormant at the first victim for months or even years, only accessing backdoors at those companies if they need to regain access to the second victim.”

Mandiant’s investigations also revealed that many organizations get targeted by more than one attack group, and in some cases, the attacks occur in succession. In 2012, 38 percent of the targets in the cases investigated by Mandiant were attacked again after the original incident was addressed. The top three industries being targeted are the aerospace industry, energy, oil and gas and pharmaceuticals.

Advertisement. Scroll to continue reading.

 “We’ve seen first-hand that a sophisticated attacker can breach any network given enough time and determination,” said Grady Summers, Mandiant vice president and one of the report’s contributing authors, in a statement. “It’s not enough for companies to ask ‘Are we secure?’ They need to be asking ‘How do we know we’re not compromised today? How would we know? What would we do about it if we were?’”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Anirban Sengupta has been named the CTO and SVP of Engineering of cloud networking and security firm Aviatrix.

Axonius has named Nick Degnan as its first Chief Revenue Officer and Rob Casselman as its first Chief Customer Officer.

Craig Boundy has left Experian to join McAfee as President and CEO.

More People On The Move

Expert Insights