Mandiant released its fourth annual M-Trends report, which details the tactics used by threat actors to compromise organizations and steal data. It also highlights incident response best practices employed by organizations that are most successful in combating advanced attackers.
This year’s M-Trends also includes an overview of the APT1 threat group and a link to more than 3,000 technical indicators that Mandiant has provided to organizations so they can bolster their defenses.
“We’ve seen first-hand that a sophisticated attacker can breach any network given enough time and determination,” said Grady Summers, Mandiant vice president and one of the report’s contributing authors. “It’s not enough for companies to ask “Are we secure?’ They need to be asking ‘How do we know we’re not compromised today? How would we know? What would we do about it if we were?'”
Some of the report’s highlights include:
Nearly two-thirds of organizations learn they are breached from an external source.
Targeted attacks continue to evade preventive defenses, but organizations are getting better at discovering them on their own. Still, a full 63 percent of victims were made aware they had been breached by an external organization such as law enforcement.
The typical advanced attack goes unnoticed for nearly eight months.
Attackers spend an estimated 243 days on a victim’s network before they are discovered – 173 days fewer than in 2011. Though organizations have reduced the average time between compromise and detection by 40%, many are still compromised for several years before detecting a breach.
Attackers are increasingly using outsourced service providers as a means to gain access to their victims.
As companies continue to outsource business processes such as finance, accounting, HR, and procurement, advanced attack groups are increasingly taking advantage of those relationships to gain access to the organizations.
Attackers are using comprehensive network reconnaissance to help them navigate victims’ networks faster and more effectively.
Attackers are frequently stealing data related to network infrastructure, processing methodologies, and system administration guides to gather the reconnaissance data they need to more quickly exploit network and system misconfigurations.
Advanced Persistent Threat (APT) attackers continue to target industries that are strategic to their growth and will return until their mission is complete.
Mandiant observed a relationship between the strategic priorities of the People’s Republic of China (PRC), the operations of PRC state-owned enterprises (SOEs), and data stolen through cyber intrusions from a wide variety of clients and industries. Of the top three industries repeatedly targeted, aerospace topped the list, followed by energy, oil and gas, and pharmaceuticals.
Once a target, always a target.
Organizations are being targeted by more than one attack group, sometimes in succession. In 2012, 38% of targets were attacked again once the original incident was remediated. Of the total cases Mandiant investigated in 2012, attackers lodged more than one thousand attempts to regain entry to former victims.
The complete report is available here (registration required).