Sophisticated attackers are expanding their reconnaissance methods to gain an advantage in their quest to compromise data.
According to a new report from Mandiant entitled ‘Attack the Security Gap’, attackers are starting to target data related to network infrastructure, processing methodologies and system and administration guides in order to gather information they can use to exploit networks and system more efficiently.
“While basic reconnaissance of victim networks is nothing new, over the last year we have seen evidence of attackers expanding the type of reconnaissance activities they perform and utilizing more sophisticated tools and tactics to map victims’ networks,” the report notes. “In addition to network mapping, we saw multiple instances where the first documents the attackers stole were related to network infrastructure, processing methodologies and payment card industry (PCI) audit data. The attackers also took various system administration guides to identify human targets and to further scope the victim networks. We have also seen instances where the attackers opened native Microsoft tools (such as dns.msc) to gather the reconnaissance data they needed.”
This information can be used to identify network and system misconfigurations that can be exploited to gain additional access within the victim’s network, according to the report.
Once sophisticated attackers are inside an organization, they burrow themselves deep into networks and often go undetected. According to the report, attackers spend an estimated 243 days on a victim’s network before they are discovered. Though this is 173 days fewer than in 2011, many organizations remain compromised for years before a breach is detected, Mandiant noted.
“During our investigations in 2012, we found an increase in the number of outsourced and managed service providers who were compromised and used as a primary access point for attackers to gain entry to their victims’ networks,” according to the report. “We have worked with clients who were both the compromised outsourced service provider and the compromised clients who employ these services.”
“In many instances, the attackers initially gained access to the service provider solely as a means to find a way into their real target – the client of the service provider. In those cases, we have seen the attackers compromise the first victim – the outsourced service provider – gather the intelligence they need to facilitate their compromise of the second victim, and then lay dormant at the first victim for months or even years, only accessing backdoors at those companies if they need to regain access to the second victim.”
Mandiant’s investigations also revealed that many organizations get targeted by more than one attack group, and in some cases, the attacks occur in succession. In 2012, 38 percent of the targets in the cases investigated by Mandiant were attacked again after the original incident was addressed. The top three industries being targeted are the aerospace industry, energy, oil and gas and pharmaceuticals.
“We’ve seen first-hand that a sophisticated attacker can breach any network given enough time and determination,” said Grady Summers, Mandiant vice president and one of the report’s contributing authors, in a statement. “It’s not enough for companies to ask ‘Are we secure?’ They need to be asking ‘How do we know we’re not compromised today? How would we know? What would we do about it if we were?’”
