APT Sophistication Outstripping Cyber-preparedness

Even though organizations are increasingly being targeted by hackers that use a snowballing amount of sophistication in their attacks, businesses are just as unprepared to detect and protect against malicious activity as they were a year ago.

FireEye’s Mandiant M-Trends report found that notably, the tools and tactics of advanced persistent threat (APT) actors have evolved significantly over the last year. For instance, threat actors impersonating the IT department has become an even more popular tactic. IT-posing phishing emails comprised 78% of observed phishing schemes that it saw in 2014, versus just 44% in 2013.

Also, attackers are becoming smarter about hiding in the most complex parts of the operating system. Just as they are also getting smarter about accessing the most complex parts of hardware, more attackers are now utilizing several complex tactics, including using Windows Management Instrumentation to avoid detection and carry out broad commands on a system.

WMI-based persistence poses several challenges to forensic analysts,” Mandiant said in the report. “Attackers can create filters and consumers executed both locally and remotely using PowerShell commands. Unlike many persistence mechanisms, they leave no artifacts in the registry.”

The findings dovetail with industry-wide consensus that malicious actors are becoming more savvy.

“Hacking has transformed from a criminal activity to a weapon against countries, as we saw with North Korea’s network shutdown this past December,” said Marc Gaffan, CEO & co-founder of Incapsula, in an emailed comment. “More advanced hacking tactics are being employed to make it harder to detect the source. Just this year, we saw an exponential increase in malicious bot activity, the more advanced, malevolent intruders engineered to circumvent common security measures.”

Mandiant also found blurred lines when it came to Russian threat actor that made distinguishing criminal gangs from nation-state actors a challenge. If tools and tradecraft become harder to tell apart, analyzing actors’ intent becomes essential to scoping their potential impact, it noted.

"As the events of 2014 demonstrated, there is no such thing as perfect security," said Kevin Mandia, SVP and COO at FireEye, in a statement. "Based on the incidents that Mandiant investigated in 2014, threat actors have continued to evolve, up their game, and utilize new tools and tactics to compromise organizations, steal data and cover their tracks."

As Infosecurity reported, one of the more concerning findings in Mandiant’s report was that it took an average of 205 days for organizations to discover a breach in their network – giving hackers tremendous opportunity to plant malware, steal information and wreak general havoc. Additionally, Mandiant found that it is becoming more and more difficult for organizations to detect breaches on their own. In 2014, only 31% of organizations discovered they were breached via their own resources—down from 33% in 2013 and 37% in 2012.

 “As these threats become more advanced and harder to detect and trace, companies need to make a serious investment in their network infrastructure and develop response plans so that they can detect and deter any hacks on day one, not 205,” Gaffan added.

What’s Hot on Infosecurity Magazine?