Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Breach Detection Time Improves, Destructive Attacks Rise: FireEye

In its seventh annual Mandiant M-Trends report, FireEye-owned Mandiant said that organizations are improving on the time it takes to detect a security breach.

While the positive news on improved breach detection is exciting in the current days of cyber doom and gloom, Mandiant also found an increase in the number of destructive attacks hitting organizations.

In its seventh annual Mandiant M-Trends report, FireEye-owned Mandiant said that organizations are improving on the time it takes to detect a security breach.

While the positive news on improved breach detection is exciting in the current days of cyber doom and gloom, Mandiant also found an increase in the number of destructive attacks hitting organizations.

What is most interesting about the M-Trends report, is that the data is compiled from actual incidents—not surveys. In other words, this is real-world data and details discovered during the process of investigating incidents across hundreds of clients, many from high profile organizations.

According to the just released report (PDF), the median number of days that attackers were present on a victim’s network before being discovered dropped to 146 days in 2015 from 205 days in 2014—a trend that shows positive improvement since measuring 416 days back in 2012. However, breaches still often go undetected for years, Mandiant reminded.

The breach investigations firm found that during its investigations, responders saw incidents where attackers destroyed critical business systems, leaked confidential data, held companies for ransom, and taunted executives. Some attackers were motivated by money, some claimed to be political retaliation, and others were to cause embarrassment, the report said.

“Disruptive attacks were once considered an implausible worst-case scenario for many companies and were typically not planned for by executives,” the M-Trends report said. “Put simply, no one previously expected to have half the workforce lose access to their computers within a short amount of time. However, public events over the last few years have altered the notion of what comprises a worst-case scenario.”

With disruptive attacks now a legitimate threat, enterprises need begin planning and preparing accordingly, Mandiant says.

Disruptive cyber attacks can be those that hold data for ransom (such as CryptoLocker), hold a company for ransom (stealing data and threatening to release it), delete data or damage systems, add malicious code to a source code repository, or modify critical business data in the hope that it does not get discovered.

“We’ve investigated multiple incidents where attackers wiped critical business systems and, in some cases, forced companies to rely on paper and telephone-based processes for days or weeks as they recovered their systems and data,” the report said. “We have even seen attackers wipe system backup infrastructure in an effort to keep victims offline longer.”

Responding to these disruptive attacks can be challenging, Mandiant says.

“Unlike breaches where a containment plan may be able to stop an attacker from stealing more information, in these disruptive instances the damage may have already been done by the time the attacker contacts the victim organization. Therefore, a different response to these incidents is required.”

In the report, Mandiant provided details and insights on how organizations can prepare for and deal with disruptive attacks.

Another interesting trend in 2015 was an increase in attackers attempting to exploit networking equipment during targeted and persistent campaigns.

“We’ve seen attackers compromise these devices in order to maintain persistent access, to change security security access control lists (ACLs) to grant access to a protected environment, for reconnaissance purposes, and for network traffic disruption,” Madiant said.

The report also highlights that stolen credentials continues to be an issue and ongoing threat.

Leveraging third-party service providers to gain access to a victim organization is also a favored technique to gain initial access, Mandiant says, because often the service provider’s security posture is less than that of the victim organization.

Mandiant said that its Red Team was able to to obtain access to domain administrator credentials within three days, on average, of gaining initial access to an environment.

“Once domain administrator credentials are stolen, it’s only a matter of time before an attacker is able to locate and gain access to the desired information,” Mandiant said.

“In 2015, we continued to be reminded that there is no such thing as perfect security,” said Kevin Mandia, SVP and president, FireEye. “Based on the significant number of incidents that Mandiant investigated in 2015, threat actors are finding inventive and disruptive ways to skirt even the best defenses, resulting in informational, financial and reputational loss.”

As is the case with Verizon’s annual Data Breach Investigations Report (DBIR), Mandiant’s M-Trends report should be considered required reading for any mid to large size enterprise. The “from the trenches” report is valuable because these are real world incidents that defenders can learn from.

“Numbers always tell a story, but it’s the interpretation of those numbers that holds the real value,” the report concludes. 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...