FireEye released the Mandiant M-Trends 2019 report at the RSA Conference. The report shares statistics and insights gleaned from Mandiant investigations around the globe in 2018.
Dwell time decreasing as organizations improve detection capabilities – In 2017, the median duration between the start of an intrusion and the identification by an internal team was 57.5 days. In 2018 this duration decreased to 50.5 days. While organizations are getting better and faster at discovering breaches internally, rather than being notified by an outside source such as law enforcement, there is also a rise in disruptive, ransom, or otherwise immediately visible attacks. The global median dwell time before any detection – external or internal – has also decreased by almost one month – going from 101 days in 2017 to 78 days in 2018. The same measurement was as high as 416 days back in 2011.
Nation-state threat actors are continuing to evolve and change – Through ongoing tracking of threat actors from North Korea, Russia, China, Iran, and other countries, FireEye has observed these actors continually enhancing their capabilities and changing their targets in alignment with their political and economic agendas. Significant investments have provided these actors with more sophisticated tactics, tools, and procedures, with some becoming more aggressive, and others better at hiding and staying persistent for longer periods of time.
Attackers are becoming increasingly persistent – FireEye data provides evidence that organizations which have been victims of a targeted compromise are likely to be targeted again. Global data from 2018 found that 64 percent of all FireEye managed detection and response customers who were previously Mandiant incident response clients were targeted again in the past 19 months by the same or similarly motivated attack group, up from 56 percent in 2017.
Many attack vectors used to get to targets, including M&A activity – Attacker activity touches countries across the globe. Among them, FireEye observed an increase in compromises through phishing attacks during mergers & acquisitions (M&A) activity. Attackers are also targeting data in the cloud, including cloud providers, telecoms, and other service providers, in addition to re-targeting past victim organizations.
Advice for organizations
“We observed an increase in phishing attacks where a compromised email account was used to send phishing emails to additional users in the organization. This is particularly effective in M&A situations, since employees expect communication, sometimes unsolicited, between the organizations,” the company noted.
“Attackers also leveraged access to compromised email accounts to bypass multi-factor authentication. [We] observed bypasses of SMS-based, email-based, and software-based security token (soft-token) multi-factor authentication.”
For organizations involved in the M&A process, FireEye recommends conducting a compromise assessment of the acquisition to attempt to identify any current or previous compromises and a proactive review searching for evidence of potential attacker activity within the acquiring and acquired networks before integrating them.
They also urge them to:
- Audit rights to identify accounts with access to other users’ email
- Disallow the automatic forwarding of email outside the organizations or regularly audit the forwarding rules on their organization’s mail servers to detect evidence of this technique
- Enable audit logging on O365
- Enable multi-factor authentication on O365.
The report also lays out preventative best practices organizations should implement to keep attackers out, as well as common issues that often need to be fixed.