Since 2010, Mandiant’s annual threat report, “M-Trends” has provided the industry with in-depth analysis and insight based on hundreds of advanced threat investigations conducted during the previous calendar year for the U.S. government, the defense industrial base and commercial organizations. As a leader in combating advanced threats, FireEye stresses the continuous education that needs to take place in order to be one step ahead of attackers. That is why it is with great excitement that I present the fifth installment of M-Trends.
2013 was an explosive year for the cybersecurity industry; a result of Mandiant’s APT1 report, The New York Timesbreach, and other organizations coming to the forefront to openly discuss their own incidents. In addition, President Obama discussed concerns about cyber-attacks in his annual State of the Union address. This was a huge step for the industry in terms of bringing advanced attacks to the forefront of the nation, and the world’s, attention.
This year’s report compiles incident response trends from hundreds of clients in more than 30 industry sectors. Some highlights include:
- The time it takes to detect a compromise continues to improveThe median number of days it takes an organization to discover a network breach dropped to 229 days in 2013 from 243 in 2012. This improvement is incremental relative to the drop from 416 days in 2011. However, organizations can unknowingly be breached for years. The longest time an attacker operated undetected in a network before being discovered was six years and three months in 2013.
- Organizations are yet to improve their ability to detect breaches
In 2012, 37 percent of organizations detected breaches on their own. This number dropped only minimally, to just 33 percent in 2013.
- Phishing emails largely look to capitalize on trust in IT departments
44 percent of the phishing emails observed in attacks investigated by Mandiant sought to impersonate the IT departments of the target’s workplace. The vast majority of these emails were sent on Tuesday, Wednesday and Thursday.
- Political conflicts increasingly have cyber components that impact private organizations
In the past year, Mandiant responded to an increased number of incidents where political conflicts between nations spawned cyber-attacks that impacted the private sector. Specifically, Mandiant investigated incidents where the Syrian Electronic Army (SEA) compromised external-facing websites and social media accounts of organizations with the primary motive of raising awareness for their political cause.
- Suspected Iran-based threat actors conduct reconnaissance on energy sector and state governmentsMultiple investigations of suspected Iran-based network reconnaissance activity indicates that threat actors are actively engaging in surveillance activities at energy sector companies and state government agencies. While these suspected Iran-based actors appear less capable than other nation-state actors, nothing stands in the way of them testing and improving their capabilities.