Most attacks successfully infiltrate production environments without detection

While organizations continue to invest significant budget dollars in security controls and assume that this means assets are fully protected, the reality is that a majority of attacks successfully infiltrate production environments without their knowledge, according to a FireEye report.

Additionally, the report includes guidance to help organizations ensure that their security controls perform as expected by implementing a strategy that includes continuous security validation.

“Every organization wants reliable data that tells them if their security investments are delivering real value and protecting them from becoming the next major cyber-attack headline,” said Chris Key, Senior Vice President at Mandiant Security Validation.

“Our research shows that while the majority of companies assume they’re protected, the truth is that more often than not, they are exposed. Using automated security validation integrated with the latest threat intelligence and frontline expertise, we can help customers validate the health of their infrastructure by testing against threats that are most likely to target their organization. This combination is not only a powerful defensive measure, but it also helps companies prioritize investments where they will have the most impact.”

A snapshot of security effectiveness challenges

The tests saw 53% of attacks successfully infiltrate environments without detection. Furthermore, researchers saw 26% of attacks successfully infiltrate environments but were detected, while 33% of attacks were prevented by security tools.

Alerts for only 9% of attacks were generated, demonstrating that most organizations and their security teams do not have the visibility they need into serious threats, even when they use central SIEM, SOAR and analysis platforms.

The most common reasons for poor optimization of organizations’ security tools were:

• Deployed under default “out-of-the-box” configurations
• Lack of resources to tune and tweak post-deployment
• Security events not making it to the SIEM
• Inability to force controls testing
• Unexpected changes or drift in the underlying infrastructure

Techniques and tactics used by attackers

The report also takes a deeper look into techniques and tactics used by attackers and outlines the primary challenges most commonly uncovered in enterprise environments through security validation and conducting testing:

• Reconnaissance: In testing network traffic, organizations reported only 4% of reconnaissance activity generated an alert
• Infiltrations & ransomware: 68% of the time, organizations reported their controls did not prevent or detect the detonation within their environment
• Policy evasion: 65% of the time, security environments were not able to prevent or detect the approaches being tested
• Malicious file transfer: 48% of the time, controls in place were not able to prevent or detect the delivery and movement of malicious files
• Command & control: 97% of the behaviors executed did not have a corresponding alert generated in the SIEM
• Data exfiltration: Exfiltration techniques and tactics were successful 67% of the time during initial testing
• Lateral movement: 54% of the techniques and tactics used to execute testing of lateral movement were missed