Wednesday, March 13, 2013

Mandiant: Discovery of Cyber Intrusions Typically Take Months

Cyber attackers typically spend an estimated 243 days on a victim’s network before they are discovered, according to the 4th annual cybersecurity report from Mandiant, the a security consulting firm that was recently in the news for its expose of Chinese hacking groups. Mandiant's report highlights incident response best practices including a discussion of technical indicators of advanced threats.

Some of the report’s highlights include:

  • Nearly two-thirds of organizations learn they are breached from an external source.
  • Targeted attacks continue to evade preventive defenses, but organizations are getting better at discovering them on their own. Still, a full 63 percent of victims were made aware they had been breached by an external organization such as law enforcement.
  • The typical advanced attack goes unnoticed for nearly eight months.
  • Attackers are increasingly using outsourced service providers as a means to gain access to their victims.
  • As companies continue to outsource business processes such as finance, accounting, HR, and procurement, advanced attack groups are increasingly taking advantage of those relationships to gain access to the organizations.
  • Attackers are using comprehensive network reconnaissance to help them navigate victims’ networks faster and more effectively.
  • Attackers are frequently stealing data related to network infrastructure, processing methodologies, and system administration guides to gather the reconnaissance data they need to more quickly exploit network and system misconfigurations.
  • Advanced Persistent Threat (APT) attackers continue to target industries that are strategic to their growth and will return until their mission is complete.
  • Mandiant observed a relationship between the strategic priorities of the People’s Republic of China (PRC), the operations of PRC state-owned enterprises (SOEs), and data stolen through cyber intrusions from a wide variety of clients and industries. Of the top three industries repeatedly targeted, aerospace topped the list, followed by energy, oil and gas, and pharmaceuticals.
  • Once a Target, Always a Target
  • Organizations are being targeted by more than one attack group, sometimes in succession. In 2012, 38% of targets were attacked again once the original incident was remediated. Of the total cases Mandiant investigated in 2012, attackers lodged more than one thousand attempts to regain entry to former victims.

A full copy of the report is online.