Mandiant Releases Annual Threat Report on Advanced Targeted Attacks
M-Trends™ 2012 reveals key insights and statistics that illustrate how the tools and tactics of the Advanced Persistent Threat (APT) and other advanced attackers have evolved over the last year.
Alexandria, Va. – Mandiant, the leader in advanced threat detection and response solutions, today announced the availability of its third annual M-Trends report, M-Trends 2012: An Evolving Threat. The report, which is based on hundreds of advanced threat investigations conducted over the past year, includes analysis, statistics and case studies that highlight how advanced and motivated attackers are stealing sensitive intellectual property and financial assets. The report also shares approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches.
“In nearly a decade of responding to targeted attacks, one thing is constant — attackers will change their tactics as needed to successfully compromise their targets,” said Vice President of Customer Success, Grady Summers, one of the report’s principal authors. “The breadth of companies being targeted is growing and the rate of intellectual property theft is increasing faster than ever. Companies who have made responsible and sustained investments in information technology continue to be compromised.”
- Only Six Percent of Organizations Detect Advanced Attackers Via Internal Methods
Targeted attacks continue to evade preventive defenses. Over the last year the vast majority of organizations – 94 percent – learn they are victims of targeted attacks from an external entity such as law enforcement.
- The Typical Advanced Attack Goes Unnoticed for More Than a Year
Once they are inside the victim organization, attackers typically have plenty of time to reach their ultimate objective – whether that’s stealing intellectual property or financial assets. The median number of days from the first evidence of compromise to when the attack was identified was 416 days.
- Compromised Organizations Are Increasingly Being Detected During the M&A Cycle
As targeted attacks spread to a wider cross-section of industries, companies are increasingly purchasing compromised assets. Based on Mandiant’s experience, a record number of targeted intrusions were discovered while the victimized organizations were in the process of integrating into their new parent organizations.
- Advanced Attackers Are Targeting Multiple Companies across a Supply Chain
Attackers are targeting companies that collaborate together within a supply chain in order to assemble a comprehensive intellectual property portfolio. Advanced attackers have learned that in order to gain full visibility into complex projects, data is required from all of the companies that partnered to design or build the targeted project.
- Malware Only Tells Half of the Story
Organizations’ investments in malware detection and antivirus capabilities, while effective in detecting characteristics associated with common worms, botnets, and drive-by downloads, do little to help defend against targeted intrusions. Today, advanced attackers often use malware as a means to gain an initial foothold within an organization. After the initial compromise, though, they shift their tactics and use legitimate credentials from compromised accounts to move laterally, create staging sites and exfiltrate data from their victims. Only 54 percent of compromised machines that Mandiant investigated contained malware while 100 percent of the attacks Mandiant investigated utilized stolen credentials during the intrusion.
- The Use of Publicly Available Tools Is Adding Complexity to Identifying Threat Actors
Over the past year, Mandiant has seen an increase in attack groups using publicly available Remote Access Trojans (RATs), backdoors, and utilities to gain access into victim organizations. The use of these publicly available tools has added some complexity to identifying threat actors because when organizations identify a piece of publicly available malware they often cleanse the file and – in the process – obscure what could be a larger incident.
- Attackers Are Diversifying Their Persistence Mechanisms
Historically, the Advanced Persistent Threat has used reverse backdoors for remote access to compromised environments. These backdoors were detectable because they generated consistent and routine network traffic and resided in common locations. During 2011, Mandiant saw the APT diversify their backdoor mechanisms to include passive backdoors such as miniport drivers and web shells that are more resilient against detection and remediation efforts.
- Financially Motivated Attackers Are Increasingly Persistent
Organized crime groups are adopting persistence mechanisms previously used by the advanced persistent threat. The long-term access these techniques enable allows the attacker to steal more data over a longer period of time, to gain access to more lucrative data, and to ensure their data is a fresh as possible.
A full copy of the report can be accessed via Mandiant’s web site at www.mandiant.com.
Mandiant is the leader in security incident response management solutions. Headquartered in Alexandria, Virginia, with offices in New York, Los Angeles, San Francisco, London, Dublin and Reston, Virginia, Mandiant provides products, professional services and education to Fortune 500 companies, financial institutions, government agencies, domestic and foreign police departments and the world’s leading law firms. The authors of 12 books and quoted frequently by leading media organisations, Mandiant security consultants and engineers hold top government security clearances, certifications and advanced degrees from some of the most prestigious computer science universities. To learn more about Mandiant visit www.mandiant.com, read the company blog, M-unition™, follow on Twitter @Mandiant or Facebook at www.facebook.com/mandiantcorp.