M-Trends: The One Threat Report You Need to Read
Today is a big day. If you’ve followed us for a while you know that once a year we step back and take stock of what we’ve seen on the front lines battling targeted attacks. What is the advanced persistent threat (APT) up to? How are organized crime groups changing their tactics? What can organizations do to respond? Hot off the presses, M-Trends 2012, is full of facts, figures, case studies and recommendations. You can download the full report here. And we’ve got a webinar on March 16th to go over the report in detail.
While writing M-Trends 2012 a couple of interesting facts that jumped out at us were 94% and 416. The first number is the percent of companies that learn they are a victim of a targeted attack from an external party such as law enforcement. The second is the median number of days the average advanced attacker has before they are detected.
All in all, the Mandiant team identified six key trends this year based on the hundreds of advanced threat investigations we have conducted.
- Compromised Organizations Are Increasingly Detected During the M&A Cycle: Based on Mandiant’s experience, a record number of targeted intrusions were discovered while the victimized organizations were in the process of integrating into their new parent organizations.
- Advanced Attackers Are Targeting Multiple Companies across a Supply Chain: Attackers are targeting companies that collaborate together within a supply chain in order to assemble a comprehensive intellectual property portfolio.
- Malware Only Tells Half the Story: Only 54% of compromised machines that Mandiant investigated contained malware while 100% of the attacks Mandiant investigated utilized stolen credentials during the intrusion.
- Attackers Are Diversifying Their Persistence Mechanisms: During 2011, Mandiant saw advanced attackers diversify their backdoor mechanisms to include passive backdoors such as port listeners and web shells that are more resilient against detection and remediation efforts.
- The Use of Publicly Available Tools Is Adding Complexity to Identifying Threat Actors: Over the past year, Mandiant has seen an increase in attack groups using publicly available Remote Access Trojans (RATs), backdoors, and utilities to gain access into victim organizations. This use of RATs has added complexity to identifying threat actors.
- Financially Motivated Attackers Are Increasingly Persistent: Organized crime groups are adopting persistence mechanisms previously used by nation-state threat actors.
If you stopped by our booth at RSA you were lucky enough to get an advance copy of M-Trends 2012. For those that missed it you can now download the full report here. Grady Summers, vice president at Mandiant and one of the principal authors will be breaking down each trend in depth over the coming weeks so stay tuned for his future blog posts.
Once you’ve had a chance to read the report, I’d love to hear your comments. Please include them below.