Breach Detection Better; Attacks on Rise

Monday, February 29, 2016 @ 05:02 PM gHale

Companies are getting better in shortening the time it takes to detect a security breach, a new report said.

The quicker a company can detect an intrusion is a good thing because Mandiant, the company that conducted its M-Trends report, said the number of destructive attacks hitting organizations is on the rise.

Multi-APT’s Linked to One Attack Group
ICS-CERT BlackEnergy Report
BlackEnergy in other Ukraine Systems
Ukraine Power Outage Exposes Risk

As part of the first part of the survey, the median number of days attackers were on a victim’s network before being discovered dropped to 146 days in 2015 from 205 days in 2014. Back in 2012, bad guys were on a network for 416 days.

In its report Mandiant said the company responded to a large number of high profile breaches in 2015. They noticed two main differences in the responses performed in 2015:
1. More breaches became public than at any other time in the past (both voluntarily and involuntarily)
2. The location and motives of the attackers were more diverse

“In 2015, the nature of the breaches we responded to continued to shift to a more even balance of Chinese and non-Chinese- based threat actors,” the report said. “We responded to more actors based out of Russia (both nationally sponsored and traditionally financially motivated attack groups) than in the past. We also saw an uptick in “gunslinger” (for-profit) groups. Finally, we noticed a significant increase in attack groups leveraging deregulated currency (such as Bitcoin) to get their ransoms paid.”

Mandiant found during its investigations, responders saw incidents where attackers destroyed critical business systems, leaked confidential data, held companies for ransom, and taunted executives.

With disruptive attacks now a legitimate threat, enterprises need to begin planning and preparing accordingly, Mandiant said in the report.

Responding to disruptive attacks can be challenging, Mandiant said.

“Unlike breaches where a containment plan may be able to stop an attacker from stealing more information, in these disruptive instances the damage may have already been done by the time the attacker contacts the victim organization. Therefore, a different response to these incidents is required.”

In the report, Mandiant provided details and insights on how organizations can prepare for and deal with disruptive attacks.

Another trend last year was an increase in attackers attempting to exploit networking equipment during targeted and persistent campaigns.

The report also points out stolen credentials continues to be an issue and ongoing threat.

Leveraging third-party service providers to gain access to a victim organization is also a favored technique to gain initial access because often the service provider’s security posture is less than that of the victim organization, the report said.

Mandiant said that its Red Team was able to to obtain access to domain administrator credentials within three days, on average, of gaining initial access to an environment.

“Once domain administrator credentials are stolen, it’s only a matter of time before an attacker is able to locate and gain access to the desired information,” Mandiant said.

“All of the trends we’re seeing lead to one conclusion: It is more critical to focus on all aspects of your security posture (people, processes, and technology) than ever before,” the report said.

Click here to download the report.