Information security services firm Mandiant, recently released its “M-Trends” report, offering insights and analysis based on hundreds of investigations conducted over the last year. The report highlights just how motivated attackers have become, and offers some suggestions for organizations looking to stay ahead of the game.
“In nearly a decade of responding to targeted attacks, one thing is constant — attackers will change their tactics as needed to successfully compromise their targets,” said Vice President of Customer Success, Grady Summers, one of the report’s principal authors.
According to the report, a typical advanced attack can go unnoticed for more than a year. Once inside the victim’s network, attackers typically have plenty of time to reach their ultimate objective, whether that’s stealing intellectual property or financial assets. Often, it’s during the merger and acquisition cycle that compromises are detected, but by then it’s too late.
One of the most popular targets is the supply chain, the report explains, as attackers focus their efforts here in order to amass a larger IP portfolio. Overtime, attackers have learned that in order to gain full visibility into complex projects, data is required from all of the companies that partnered to design or build the targeted project.
According to a report released by the U.S.-China Economic and Security Review Commission last week, the close relationship between China’s military and Chinese telecom firms has created an avenue for state sponsored or directed penetrations of U.S. supply chains for electronics supporting military, government, and civilian industry. Such capabilities give “the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” the report notes.
Keeping pace with the frightening data, anti-Malware and other endpoint protections work well against known threats such as botnets, worms, and drive-by-attacks, but they rarely stop a targeted attack.
While Mandiant’s report outlines the threats observed by the company over the last year when it was called to investigate a case, they do offer several points when it comes to remediation.
For example, enabling logging of DHCP, DNS, VPN and Windows security events, on top of increasing password complexity; reducing cached credential storage; disabling LANMAN hashes; implementing aggressive patch management policies; and either developing or increasing end-user awareness initiatives are the number one consideration prior to beginning remediation of an incident.
“It is clear that the adversary is evolving — we have known that for years. However, in a decade of responding to advanced targeted threats, 2011 was an inflection point,” the report concludes.
“Despite all of this, a few things have not changed: visibility is paramount, smart people are more important than any technology, and the way you respond — when the inevitable happens — is what will determine whether you become a headline or not.”