Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Breach Detection Time Improves, Destructive Attacks Rise: FireEye

In its seventh annual Mandiant M-Trends report, FireEye-owned Mandiant said that organizations are improving on the time it takes to detect a security breach.

While the positive news on improved breach detection is exciting in the current days of cyber doom and gloom, Mandiant also found an increase in the number of destructive attacks hitting organizations.

In its seventh annual Mandiant M-Trends report, FireEye-owned Mandiant said that organizations are improving on the time it takes to detect a security breach.

While the positive news on improved breach detection is exciting in the current days of cyber doom and gloom, Mandiant also found an increase in the number of destructive attacks hitting organizations.

What is most interesting about the M-Trends report, is that the data is compiled from actual incidents—not surveys. In other words, this is real-world data and details discovered during the process of investigating incidents across hundreds of clients, many from high profile organizations.

According to the just released report (PDF), the median number of days that attackers were present on a victim’s network before being discovered dropped to 146 days in 2015 from 205 days in 2014—a trend that shows positive improvement since measuring 416 days back in 2012. However, breaches still often go undetected for years, Mandiant reminded.

The breach investigations firm found that during its investigations, responders saw incidents where attackers destroyed critical business systems, leaked confidential data, held companies for ransom, and taunted executives. Some attackers were motivated by money, some claimed to be political retaliation, and others were to cause embarrassment, the report said.

“Disruptive attacks were once considered an implausible worst-case scenario for many companies and were typically not planned for by executives,” the M-Trends report said. “Put simply, no one previously expected to have half the workforce lose access to their computers within a short amount of time. However, public events over the last few years have altered the notion of what comprises a worst-case scenario.”

With disruptive attacks now a legitimate threat, enterprises need begin planning and preparing accordingly, Mandiant says.

Disruptive cyber attacks can be those that hold data for ransom (such as CryptoLocker), hold a company for ransom (stealing data and threatening to release it), delete data or damage systems, add malicious code to a source code repository, or modify critical business data in the hope that it does not get discovered.

“We’ve investigated multiple incidents where attackers wiped critical business systems and, in some cases, forced companies to rely on paper and telephone-based processes for days or weeks as they recovered their systems and data,” the report said. “We have even seen attackers wipe system backup infrastructure in an effort to keep victims offline longer.”

Responding to these disruptive attacks can be challenging, Mandiant says.

“Unlike breaches where a containment plan may be able to stop an attacker from stealing more information, in these disruptive instances the damage may have already been done by the time the attacker contacts the victim organization. Therefore, a different response to these incidents is required.”

In the report, Mandiant provided details and insights on how organizations can prepare for and deal with disruptive attacks.

Another interesting trend in 2015 was an increase in attackers attempting to exploit networking equipment during targeted and persistent campaigns.

“We’ve seen attackers compromise these devices in order to maintain persistent access, to change security security access control lists (ACLs) to grant access to a protected environment, for reconnaissance purposes, and for network traffic disruption,” Madiant said.

The report also highlights that stolen credentials continues to be an issue and ongoing threat.

Leveraging third-party service providers to gain access to a victim organization is also a favored technique to gain initial access, Mandiant says, because often the service provider’s security posture is less than that of the victim organization.

Mandiant said that its Red Team was able to to obtain access to domain administrator credentials within three days, on average, of gaining initial access to an environment.

“Once domain administrator credentials are stolen, it’s only a matter of time before an attacker is able to locate and gain access to the desired information,” Mandiant said.

“In 2015, we continued to be reminded that there is no such thing as perfect security,” said Kevin Mandia, SVP and president, FireEye. “Based on the significant number of incidents that Mandiant investigated in 2015, threat actors are finding inventive and disruptive ways to skirt even the best defenses, resulting in informational, financial and reputational loss.”

As is the case with Verizon’s annual Data Breach Investigations Report (DBIR), Mandiant’s M-Trends report should be considered required reading for any mid to large size enterprise. The “from the trenches” report is valuable because these are real world incidents that defenders can learn from.

“Numbers always tell a story, but it’s the interpretation of those numbers that holds the real value,” the report concludes. 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.