Hackers Spend 200+ Days Inside Systems Before Discovery

Written by

It’s getting harder for organizations to spot when they’ve been breached, despite the average time taken to detect an incursion dropping to 205 days, according to the latest annual M-Trends report from FireEye.

Drawing on the past 12 months’ worth of investigations from the Mandiant team, the report revealed that less than a third (31%) of organizations discovered an internal breach themselves last year, with 69% notified by a third party.

Yet the median number of days hackers were present on the network before discovery dropped from 243 in 2012 to 229 in 2013, and went down again last year to 205 days.

Interestingly, when it comes to the phishing attacks that so often start a major targeted incursion, Mandiant found that the vast majority (78%) were IT or security related. That is, the messages were spoofed to appear as if they came from the victim company’s IT department or AV vendor.

Unsurprisingly given the huge number of targeted attacks aimed especially at US retailers, this sector displayed a spike in data breach incidents last year.

At 14%, retailers accounted for the second largest number of Mandiant engagements in 2014, after business and professional services (17%). This was a rise of 10% from the previous year.

Weak authentication when accessing virtualized application environments was found to be a major attack vector in the retail sector, allowing hackers to gain an initial foothold into systems from which they could “roam into other parts.”

Mandiant added:

“In every case we investigated that involved this attack vector, we saw the same primary security gap: remote access to the application required only a user name and a password. Two-factor authentication would have helped control this attack vector.”

More worrying still for retailers was threat intelligence suggesting that other channels are increasingly being targeted.

In countries which have already adopted the Europay Mastercard and Visa (EMV) standard, Mandiant claimed that last year it had “responded to more compromises of e-commerce companies and payment processors than we have in the past.”

Chip and PIN is set to land in a major way in the US later this year with many firms hoping adoption will make them less attractive to cyber-criminals.

However, the report would seem to indicate that online and other channels could be braced for more concerted attacks in the future.

Other popular attack techniques spotted by Mandiant included VPN targeting, which enables hackers to achieve persistence without the need for backdoors, and blend in by imitating authorized users.

The report also calls out a small but growing trend of using Windows Management Instrumentation (WMI) to maintain a “covert presence.”

What’s hot on Infosecurity Magazine?