Mandiant Releases Annual Threat Report on Advanced Targeted Attacks
M-Trends™ 2012 reveals key insights and statistics that illustrate how the tools and tactics of the Advanced Persistent Threat (APT) and other advanced attackers have evolved over the last year.
Alexandria, Va. – Mandiant, the leader in advanced threat detection and response solutions, today announced the availability of its third annual M-Trends report, M-Trends 2012: An Evolving Threat. The report, which is based on hundreds of advanced threat investigations conducted over the past year, includes analysis, statistics and case studies that highlight how advanced and motivated attackers are stealing sensitive intellectual property and financial assets. The report also shares approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches.
“In nearly a decade of responding to targeted attacks, one thing is constant — attackers will change their tactics as needed to successfully compromise their targets,” said Vice President of Customer Success, Grady Summers, one of the report’s principal authors. “The breadth of companies being targeted is growing and the rate of intellectual property theft is increasing faster than ever. Companies who have made responsible and sustained investments in information technology continue to be compromised.”
- Only Six Percent of Organizations Detect Advanced Attackers Via Internal Methods
Targeted attacks continue to evade preventive defenses. Over the last year the vast majority of organizations – 94 percent – learn they are victims of targeted attacks from an external entity such as law enforcement.
- The Typical Advanced Attack Goes Unnoticed for More Than a Year
Once they are inside the victim organization, attackers typically have plenty of time to reach their ultimate objective – whether that’s stealing intellectual property or financial assets. The median number of days from the first evidence of compromise to when the attack was identified was 416 days.
- Compromised Organizations Are Increasingly Being Detected During the M&A Cycle
As targeted attacks spread to a wider cross-section of industries, companies are increasingly purchasing compromised assets. Based on Mandiant’s experience, a record number of targeted intrusions were discovered while the victimized organizations were in the process of integrating into their new parent organizations.
- Advanced Attackers Are Targeting Multiple Companies across a Supply Chain
Attackers are targeting companies that collaborate together within a supply chain in order to assemble a comprehensive intellectual property portfolio. Advanced attackers have learned that in order to gain full visibility into complex projects, data is required from all of the companies that partnered to design or build the targeted project.
- Malware Only Tells Half of the Story
Organizations’ investments in malware detection and antivirus capabilities, while effective in detecting characteristics associated with common worms, botnets, and drive-by downloads, do little to help defend against targeted intrusions. Today, advanced attackers often use malware as a means to gain an initial foothold within an organization. After the initial compromise, though, they shift their tactics and use legitimate credentials from compromised accounts to move laterally, create staging sites and exfiltrate data from their victims. Only 54 percent of compromised machines that Mandiant investigated contained malware while 100 percent of the attacks Mandiant investigated utilized stolen credentials during the intrusion.
- The Use of Publicly Available Tools Is Adding Complexity to Identifying Threat Actors
Over the past year, Mandiant has seen an increase in attack groups using publicly available Remote Access Trojans (RATs), backdoors, and utilities to gain access into victim organizations. The use of these publicly available tools has added some complexity to identifying threat actors because when organizations identify a piece of publicly available malware they often cleanse the file and – in the process – obscure what could be a larger incident.
- Attackers Are Diversifying Their Persistence Mechanisms
Historically, the Advanced Persistent Threat has used reverse backdoors for remote access to compromised environments. These backdoors were detectable because they generated consistent and routine network traffic and resided in common locations. During 2011, Mandiant saw the APT diversify their backdoor mechanisms to include passive backdoors such as miniport drivers and web shells that are more resilient against detection and remediation efforts.
- Financially Motivated Attackers Are Increasingly Persistent
Organized crime groups are adopting persistence mechanisms previously used by the advanced persistent threat. The long-term access these techniques enable allows the attacker to steal more data over a longer period of time, to gain access to more lucrative data, and to ensure their data is a fresh as possible.
A full copy of the report can be accessed via Mandiant’s web site at www.mandiant.com.
About FireEye, Inc.
FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,500 customers across 65 countries, including over 150 of the Fortune 500.
Mandiant, a FireEye company, has driven threat actors out of the computer networks and endpoints of hundreds of clients across every major industry. We are the go-to organization for the Fortune 500 and government agencies that want to defend against and respond to critical security incidents of all kinds. When intrusions are successful, Mandiant’s security consulting services – backed up by threat intelligence and technology from FireEye – help organizations respond and resecure their networks.
This press release contains forward-looking statements, including statements related to the features, objectives and benefits of the Industrial Control System Security Gap Assessment and Cyber Defense Center Development offerings. These forward-looking statements involve risks and uncertainties, as well as assumptions which, if they do not fully materialize or prove incorrect, could cause the results of FireEye or Mandiant to differ materially from those expressed or implied by such forward-looking statements. The risks and uncertainties that could cause such results to differ materially from those expressed or implied by such forward-looking statements include the ability of FireEye and Mandiant to retain and recruit highly experienced and qualified personnel; customer demand for and market acceptance of such offerings; changes in the technology or the industries in which such offerings are related; competitive pressures faced by FireEye and Mandiant; and general market, political, economic, and business conditions; as well as those risks and uncertainties included under the captions “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” in FireEye’s quarterly report on Form 10-Q filed with the Securities and Exchange Commission on August 13, 2014, which is available on the Investor Relations section of the company’s website at investors.FireEye.com and on the SEC website at www.sec.gov. All forward-looking statements in this press release are based on information available to the company as of the date hereof, and FireEye does not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made. Any future service, feature, objective or benefit that may be referenced in this release are for information purposes only and are not commitments to deliver any service, feature, objective or benefit. FireEye reserves the right to modify future plans at any time.