Tag Archives: Cybersecurity

US GAO Report Highlights Incident Response Shortcomings

| By | Executive Perspectives, Security Perspective |
Comments
0

On May 30th, 2014, the US Government Accountability Office (GAO) released a report titled “Information Security: Agencies Need to Improve Cyber Incident Response Practices.” GAO conducted its research by randomly selecting six government agencies, then selecting a statistically significant number of incident reports (40 from each organization), documented during 2012. GAO then evaluated how the agencies performed, based on the reports. GAO compared the documented incident response actions to requirements set by the Federal Information Security Management Act of 2002 (FISMA) and National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide. The results were surprising and I will explain the significance of several excerpts in this post.

First, “agencies had recorded actions to halt the spread of, or otherwise limit, the damage caused by an incident in about 75 percent of incidents government-wide. However, agencies did not demonstrate such actions for about 25 percent of incidents government-wide.”

This comment references the need to contain an intrusion. If a government agency fails to completely contain an intrusion, any gaps leave the adversary freedom of maneuver. He can exploit the containment failure to proliferate to other systems and remain in control of an organization’s systems. Anything less than 100% containment is essentially 0% containment.

Second, “for about 77 percent of incidents government-wide, the agencies had identified and eliminated the remaining elements of the incident. However, agencies did not demonstrate that they had effectively eradicated incidents in about 23 percent of incidents.”

This comment references the need to remove an intruder from a compromised organization. Similar to the need for 100% containment, one must also achieve 100% removal in order to completely frustrate the adversary. If an adversary retains access to even one system, he can rebuild his position and retake control of the victim.

Third, “agencies returned their systems to an operationally ready state for about 81 percent of incidents government-wide. However, they had not consistently documented remedial actions on whether they had taken steps to prevent an incident from reoccurring. Specifically, agencies did not demonstrate that they had acted to prevent an incident from reoccurring in about 49 percent of incidents government-wide.”

This comment describes the need to learn from intrusions and implement remediation. If a victim fails to make the environment tougher for the adversary, the intruder will likely return using the same techniques that he utilized to first gain access.

Finally, a search of the entire GAO report for the word “strategy” produced zero hits. Beyond being disappointed by the three excerpts I highlighted above, I am dismayed to not hear GAO discuss the need for a security strategy for organizations. Incident response is not a technical action. IR should be part of a business process, done as part of an operation that implements a strategy understood and approved by the highest levels of management. Furthermore, the GAO report did not really evaluate the consequences of the three documented failures and the lack of concrete security strategies. Had GAO taken that step, they might have concluded that the agencies continue to face severe security challenges.

Economics of Security Part II: Qualifying the Economic Return From Cybersecurity Solutions

| By | Business of Security, Executive Perspectives, Security Perspective |
Comments
0

In part one of this series, my colleague, Bryce Boland, CTO, APAC touched on aligning a security program with the value-areas of a business. To be successful in this endeavor, you must calculate the return on investment (ROI) that a robust security program will offer. In part two, I will offer recommendations to achieving this.

The economics of security is an interesting challenge. I polled some contacts and discovered that, as much as we focus on reducing the capex on software and hardware, the majority of costs are actually opex. Therefore if we want to drive efficiencies in security, we should look at the usability (i.e. the time and costs required to achieve the desired outcome) of the tools as much as what they actually do.

Cybersecurity is a multi-dimensional problem, so whilst we consider efficiencies we must look at them in the context of outcomes and value. Our value question in cybersecurity has two factors: (1) are we able to leverage the most efficient path to obtain the solution and (2) being able prioritize on events/incidents that have the greatest business impact.

Simple event/incident response process

The rudimentary processes behind cyber have been around for years and are well documented in various standards. There’s a catalyst event that drives us to understand the problem, so we can qualify and prioritize if and when we need to respond – i.e. solve the problem.

Screen Shot 2014-07-02 at 10.41.08 PM

Are we increasing or decreasing efficiencies?

In recent years many have suggested the logic that “big data” can help us make smart decisions. Yet there is danger that this can create a spiral effect that has the potential to cripple us. By adding more content, we increase the cycles required to understand, qualify and respond. There is also a key question around the quality of that data. Take for example all the events we aggregate into a SIEM tool today, how many of those are truly worth taking action on?

How do we measure success and value?

If we are to evaluate the economic value cyber security solutions bring we need to look less at what they do and instead more how they do it. We need to understand the quality of the information they provide, both in terms of business impact and conversion to action, as well as the operational cycles required to achieve this; which are the cost & time multipliers.

As our technology world complexity continues, the operational aspect as a multiplier can only increase. Today I hear more companies asking for partnerships to solve problems rather than products; they see the time and skills challenge in solving the problem as prohibitive. If we are to succeed today, we need outcome focused solutions; that is they are efficient in providing actionable responses that are business oriented in their focus and/or services that reduce the operation costs associated with time to action. So how do we evaluate this in our buying criteria?

There have been many ROI tools that try to qualify the potential value that come from security investments. However if we are to align to business goals, we must drill into the process behind event correlation/validation – the heart of security – for business impact assessment and response actions.

Qualifying economic value from event/incident management

The framework below aims to give you a reference point to start to map out the economics of your security program.

Given solving this problem is entirely dependent on each individual organization; we must be able to qualify what makes our businesses profitable and how technology enables this. The model does not include metrics in each part of the incident lifecycle but does highlight some of the common key success metrics.

To make economic judgments, you need to assess the following:

  1. What is the ratio between events received and action taken?
  2. What is the efficacy level in the events & incidents you identify (i.e. the real cyber attack event to false positive ratio)?
  3. How many cycles do you iterate through to get from an event(s) to an action; is it timely and cost efficient? (Can you rank the processes/tools you leverage today in terms of man-hours and skills required to get to to action?)
  4. Do you align, prioritize and qualify events against against business goals and impact (How many cycles does this take)?
  5. Make the assessment using the framework & success criteria below to evaluate the key time and cost multipliers in your event/incident security process, so you can validate the economic value that comes from the processes and tools you leverage today, to see which are effective and which are not?
Measures of effectiveness of event/incident management

Measures of effectiveness of event/incident management

In conducting the evaluation process above (and visually outlined above), there is a defined process for tying operational expenditures with investments for securing the processes that generate business value. By analyzing the actions taken to conduct security operations and the, ideally, efficiencies in doing so, security leaders will be able to provide a full picture of their impact on the business. Ultimately, this changes the security conversations from just security to business practices overall.

Economics of Security Part I: Translating Information Security Risks to Business Risk

| By | Business of Security, Executive Perspectives, Security Perspective |
Comments
0

In this two-part series, my colleague, Greg Day, VP & CTO EMEA and I will focus on making the business case for security solutions that will protect your organization.

One of the many challenges IT Security professionals face is translating the security risks of technologies into the business risks they pose to the company. This translation is critical to building buy-in from your business to fund security initiatives and ensure your projects are funded properly relative to the myriad other things your business is pursuing with its money.

But where should you start? I’ve found that the best place to start is by looking at the processes in the business that generates value. These are the parts of the business that a results-oriented manager will want to protect from threat. By describing security risks in terms of how critical business processes – and their subsequent value generation – could be disrupted, your concern will resonate better with management. Consider the total business value that process generates today – is it 15 percent of the business or 85 percent? Give it a dollar figure. Given your assessment of the likely threat actors and security risks, how much of that value could be destroyed? This is a simple measure of the possible direct or immediate loss that could be experienced – something management are often measured and rewarded on.

Next you can look at knock-on impacts – this too helps speak to the management incentives. If the security risk manifests and creates a specific and significant business impact, would the market, regulators or customers notice? Would the stock price of the company drop as a result? Most business leaders will have a significant and direct interest in market valuation as their remuneration is often closely linked to the company’s stock market performance. Similarly, ask what is the business impact if a security failure leads to a loss of customers, of transaction volume, or increased regulatory scrutiny? Could you face a class action suit?

Sometimes the link between the business value generated and the technology underpinning it is a little hazy, but any modern business process that creates value will leverage and create data. It might be your customer data, the “secret sauce” of your products, a manufacturing capability that ensures your product has the best quality, the output from your R&D team, or perhaps it’s the plans for your next new business. Whatever this data is, and how you depend on it in your business, ensuring it is protected from threats is the difference between success and failure for many companies. Often this data is what the attacker is after. From a business perspective, the reliance on this data to operate the business effectively is how you connect the security risk to the business risk.

What are the most important assets and data in your business that create real value? This is very specific to every business. Think like an attacker: if you were to attack your business, what information would you steal, and why? What could you monetize, use to gain economic advantage, or gain market share? You can assess the value of that asset to your company in terms of potential losses from the dependent business processes, and the value of that asset to an attacker. Then determine how much you should invest to protect against the risks from cybersecurity threats. By going through the process of understanding how data and IT assets are part of the value creation in your business, you actually create the story to help understand the business risk, because you construct the discussion starting from the business process first.

Sometimes the most valuable thing you have is access to your customers. If your customers are large companies, this might make you a springboard to attack a smaller company – and likewise for a larger company your greatest security risks could be exposure to the less security aware vendors in your operations and supply chain. Make sure to consider these scenarios when talking to your business. As larger organizations consider the risks in their supply chain, they will increasingly consider security requirements in MSAs and demand not just compliance but demonstrable security capabilities in their business partners. It is a logical extension of risk management thinking to consider the broader supply chain risks as part of overall business risk management, and this will drive many smaller businesses to invest in improved security capabilities.

More than half the organizations we surveyed do not regularly assess their information security investments in terms of their value relative to the business process they protect. My recommendation is to re-evaluate your investment plan annually, and ensure that your continued security investments are relevant to the threats your business faces. You might also consider using a risk framework like ISO27005 as a tool to help you manage this in a consistent way, to prioritize risks and corresponding investments.

To summarize: understand how and where your business makes its money, illustrate the dependency on technology and data, then explain security risks in terms of the business impact.

In the second part of this series, Greg will discuss how to measure the economic value of your cybersecurity solutions.

Live from Infosecurity Europe 2014: Cybersecurity Experts Come Together

| By | Business of Security, Executive Perspectives, Security Perspective

Infosecurity Europe 2014 was the place to be for any major player in the world of cybersecurity, and live from the show floor; the FireEye Blog team had a front seat to some exciting conversations. Paul Dwyer, director at FireEye, had the opportunity to sit down with a number of influencers and ask questions that were on all of our minds.

In this first podcast in the series, Amar Singh, senior analyst at KuppingerCole, and founder of ARK Advisors discusses the threat of malware, and also touches on the subject of industrial espionage. Click here to listen to the full podcast. Bruce Hallas, founder and curator of The Analogies Project, a not-for-profit venture designed to help the information security community communicate and engage more effectively with stakeholders, joined Paul in our next podcast. Hallas discussed the significance of generational cybersecurity, and outlined the key behaviors and security working practices of generations Y and Z. Click here to listen to the full discussion.

First Base Technologies CEO Pete Wood also sat down with us for a chat, and shared his thoughts on how an information security function evolves to become business-led. Mr. Wood was also asked about the current business security model, and whether cybersecurity should be considered a Board Level issue. Click here to listen.

Finally, FireEye Director of Technology Strategy EMEA, Jason Steer had the chance to speak with Brian Honan from BH Consulting about the recent Internet Explorer (IE) browser vulnerability, as well as the importance of separating networks into different segments. Listen to the full podcast here.

Did you attend Infosecurity Europe 2014? Chime in and let us know what you thought of the event and the topics discussed. Leave us a comment below.

Reporting on Key Issues in Cybersecurity: Panel Discussion with Renowned EMEA Reporters

| By | Business of Security, Security News, Security Perspective

Last week, FireEye held a panel podcast featuring renowned reporters covering Europe in advance of the highly anticipated Infosecurity Europe conference.

The panel includes reporters from some of the most credible publications covering information security, including Eleanor Dallaway from Infosecurity Magazine, John Leyden from The Register, Tom Brewster, a freelance journalist for TechWeek Europe and Guardian, and Dan Raywood, editor of IT Security Guru.

In the podcast the panelists discuss key issues in cybersecurity today, including the recent Heartbleed controversy. They also touch on why Infosecurity Europe is crucial for the information security community, and hint at what we can expect from the big event.

To listen to the full podcast, click here.

Live from InfoSecurity Europe 2014: The Nitty Gritty of Sandbox Evasion

| By | Advanced Threat Trends, Business of Security, Security Perspective

Infosecurity Europe 2014 was a great gathering of the top minds in cybersecurity, and in case you missed the event, we were excited to capture live content from the show floor to share with our readers. Over the next few days, the FireEye Blog will be sharing a number of insightful podcasts with various experts in the field on the hottest issues in information security.

Paul Dwyer, director at FireEye, had an opportunity to sit down with FireEye Senior Director of Market Research, Rob Rachwald to discuss the ins and outs of sandbox evasion including the four categories of evasion.

Rachwald says it is critical to understand sandbox evasion methods, “we need to understand what these evasion methods are in great detail. And if you do know it in great detail, you can do two things. One, you can build a better defense, and two, you can look for technologies that are really, really strong to help improve your defenses. “

To learn more about sandboxing, click here for the white paper Hot Knives Through Butter. To listen to the full podcast live from Infosecurity Europe 2014, click here, and make sure to check back soon for our next featured interview.

The FireEye Advanced Threat Report 2013: UK & Ireland Edition

| By | Advanced Threat Trends, Security Perspective

Accompanying our Regional Advanced Threat Report (ATR) for Europe, we are also drilling even deeper with a Regional ATR focused on the United Kingdom and Ireland (UKI). During our assessment of these two countries, we have identified all types of threat actors compromising our customers’ networks: nation state, cyber criminals, activists, and amateurs alike.

This report summarizes 2013 data gleaned from the FireEye Dynamic Threat Intelligence (DTI) cloud of worldwide malware protection platforms. Over the past year, FireEye:

  • Recorded over 70 new workstations infected every day
  • Identified more than 42 APT families
  • Observed threats impacting all verticals, particularly Financial Services, Telecom, and Energy

As we saw with the European report, the rate of increase in workstation infections across Ireland and the UK skyrocketed in the last four months of 2013. This may indicate that threat actors increased the volume of activity against organizations in the United Kingdom and Ireland in the post-vacation lull because they anticipated employees would be less attentive around security matters and thus have a higher rate of success. Alarmingly, the number of unique infections more than tripled from January to December 2013.

UKI1

Figure 1 – Unique Infections Trending over 2013

Next, let’s consider which industry verticals in UKI were most infected by attackers. Unsurprisingly, the Financial Services vertical is far and away the most targeted in UKI as “The City” is the largest financial platform for Europe and the world. Of course, threat actors have also been busy targeting the other high-value industries of UKI, particularly the Telecommunications and Energy/Utilities/Petroleum Refining verticals. As with the rest of Europe though, no industry vertical was spared in the UK or Ireland and this trend will likely continue as new attack vectors enter these industries.

UKI2

Figure 2 – Unique Infections by Industry Vertical (Listed from Most-Infected to Least on Right)

Rising Attack Landscape Means Rising APT Families

The consistency between the UK’s and Ireland’s threat landscapes has also extended into the way the APT attacks are carried out. Most important to highlight is that Federal Government continues to be the number one target in UKI – as with Europe – only with that industry vertical accounting for a startling 49 percent of APT attacks versus 25 percent for all of Europe.

UKI3

Figure 3 – APT Distribution per Vertical (Listed from Most-Targeted to Least on Right)

Financial Services remains a top-three target of APT attacks as well in UKI, but the Energy/Utilities/Petroleum Refining industry climbs from seventh place in Europe to second place in UKI. Given the major corporations in those spaces operating out of UKI, that these organizations are a prime target by APT actors is unsurprising.

How those APT attacks were carried out is shown in the chart below identifying the 21 APT malware families that we identified in attacks throughout 2013.

UKI4

Figure 4 – APT Malware Families for UKI

We previously noted in our European report that, when looking at the sheer number of APT attacks, the United Kingdom received the second most of any European country in 2013. Despite trailing Germany as the most-targeted European nation, the UK was tied for fourth globally with France and Thailand when it came to most verticals targeted by APT attacks. Specifically, all three nations saw 12 distinct verticals hit, with the next closest European nation being Germany with nine verticals.

UKI52

Figure 5 – APT Attacks by Country

While the UK and Ireland face unique challenges based on the maturity of the Financial Services, Telecommunications and Energy-based industries that are based there, we have found that the overall market is very much in-line with the rest of Europe. Thus, as with our outlook for the whole of Europe, we see an opportunity for UKI cyber defenders to get ahead of the rapidly expanding advanced threat actors.

To find out more about the report or how to address these rising issues, come visit the FireEye team at InfoSec UK at Stand J60.

The Road to Resilience: How Cybersecurity is Moving from the Back Office to the Boardroom

| By | Executive Perspectives, Security Perspective

For too long, our industry has framed cybersecurity as a technical issue.

We have measured success on the volume of malware we detect and block, not how we respond to the threats that matter. We have taken a one-size-fits-all approach to security incidents, regardless of who’s attacking, how they work, and what they’re after. We have rarely engaged other business units when responding to incidents — and when we do, we fixate on the technical details rather than weighing their business impact.

Yes, cybersecurity has a technical component. But more than anything, it is a business issue.

Fortunately, the old mindset is changing. Under the banner of “cyber resilience,” security leaders are beginning to acknowledge that cybersecurity must evolve. Striving to ward off attacks is no longer enough — organizations must also respond to incidents with a focus on managing their business impact.

To gauge how far along organizations in the Europe, Middle East, and Africa (EMEA) are in this evolution, FireEye recently asked 25 security leaders across the region about their experience and perceptions. Their answers reveal a sizable divide among in both awareness and maturity when it comes to cyber resilience.

Breaches Increasingly Routine
Not surprisingly, EMEA security leaders say that cyber breaches are increasingly routine. In our survey, 44 percent of organizations said they had breached at least once per year. And that total probably understates the problem — a full 28 percent were not sure whether they have been breached.

img1

All threats viewed equally — regardless of risk or impact
A solid majority of respondents (68 percent) said they “always” care about breaches. Only 16 percent said their level of concern depends on the severity of the incident. This lopsided statistic suggests that IT professionals are not yet looking at breaches from the perspective of risk or impact.

img2

Priorities misaligned in incident response
We see the same lack of business alignment in organizations’ responses to breaches. When a breach occurs, 84 percent of those in our EMEA survey notify relevant business leaders, and 76 percent notify company executives. We often hear that companies are looking for security leaders to engage at a business level. But if business leaders and executives are still being notified about most breaches, we’re still treating security as a technical problem.

img3

Our survey found a split in where security teams focus their response. About 60 percent base their response plan around all IT systems, and 40 percent focus on critical systems and resources. This response, too, suggests that organizations see many breaches as a technical problem rather than a business problem.

Along the same lines, communications, public relations, and business teams are typically far less engaged in incident responses than IT security and technical teams, executives, and HR departments. If cyber resilience is about enabling business resilience, then business teams should play an equally critical role in incident response.

When engaging with executives, we in the security community do not seem to be taking a risk-based approach. And clearly, we are not speaking executives’ language: the impact of a breach on the company’s financial results.

Who is included in incident response plans?

img4

Moving toward a risk-based security framework
Most security leaders leverage at least one security framework or standard — and in most cases, they leverage two or more. These frameworks include best practices defining what to protect, how to protect it, and how to monitor deployed controls. These features make the frameworks valuable tools to help define strategies and gauge their effectiveness. But adoption of ISO27005 — which focuses on business-risk assessment — is far behind that of ISO27001.

Adopted security frameworksUntitled

Leveraging automation
Just about every security leader would like more resources. But most of us must make the most of what we have.

What is clear from our survey is that incident response is consuming the biggest share of time and resources.

Security tasks that consume the most time and resources (weighted average)img5

The volume of attacks is rising. And IT systems are playing an increasingly critical role in business. So having well-defined and tested response capabilities that leverage automation would seem a key component to cyber resilience.

Bolstering cyber resilience
Cyber security is, and will remain, an evolution. Everyone is on their own journey along the maturity curve. Security leaders must evaluate their place along that curve based on their perceptions of risks and the controls they need to put in place.

Cyber resilience recognizes that prevention is only part of the solution. Organizations must realize the following:

  • Businesses will increasingly measure security leaders not just on what they stop or let through, but on how they respond to what does get through.
  • A breach can happen in seconds, yet the exfiltration takes hours or days and can last for months.[1]
  • When it comes to measuring business impact, not all breaches are equal.

At the same time, organizations must retool their strategies to better discover and respond to security incidents. This shift requires:

  • Having a documented, regularly reviewed, and well-tested cyber response strategy that includes both the business and technical response plans.
  • Reducing the time and costs involved in response.
  • Being able to qualify the business risk of the incident. By better aligning cyber strategies to business drivers and business risk, security leaders can have a bigger business impact and increase their relevance to executives.

The Economics of Security

| By | Business of Security, Executive Perspectives, Security Perspective

During many of my customer meetings, I often hear security leaders ask the question: “What technology could I remove to free up budget to enable the implementation of FireEye?”

My natural response is to inquire how and when they assess the real value, not the ROI, they get from their existing solutions. Whilst every security solution provides an “ROI” – often a metric based around industry data on how many security “events” they return – this assessment should not focus on noisy “ROI,” but which solution gives your company the most valuable information. Considering the nature and pace of change when it comes to malware and advanced attacks, this is something to validate regularly and involves looking at more factors than a generic ROI tool can factor in.

In a small survey of about 30 European CxOs we ran in December 2013, I asked the question of how they validated the value of security controls, and, surprisingly, at least 36 percent still didn’t conduct any annual assessment.

doyouvalidate

Having spent quite a bit of time looking at analyst models and what exists publically today, the fact that some still don’t conduct these assessments emphasizes that there still isn’t a well-defined model to correlate business value against investment for security solutions.

Take, for example, the outsourced model where Key Performance Indicators (KPIs) are typically established. Too often I hear anecdotal examples where KPIs were based on incidents found; this simply encourages dialing-up the technologies being monitored so that every incident – malicious or not – is tracked and reported, drowning out the ability to identify real threats.

For example, companies investing in big data solutions that gather and equate the millions to billions of events delivered each week to value. However, because they are too resource-constrained to convert these into actionable data, the true value is not extracted and, because doing so in a resource-constrained environment takes so long, the return here would seem extremely poor to a sheer numbers-based evaluation.

However, if the value of said product is measured by the actions taken to mitigate a major security event, that extra time spent executing on a few major items rather than not executing on a large amount of items becomes invaluable to the business. As such, we must blend together the quantitative metrics such as the costs of a solution (capex & opex), incident levels and overlay those values with qualitative insight. These evaluation criterion would look something like the below:

opexcapex

 

  • Noise to incident ratio - What is an acceptable incident to noise (i.e., false positives or irrelevant alerts) ratio?
  • Volume versus impact - We can alert and respond to a million incidents but it’s the one outage of a critical system or breach of business IP or customer records will have a far more significant impact on the business.
  • How actionable is the solution - Critical to an alert is timeliness, how long does it take to identify an incident and what level of human skills are required to interpret the results. Spotting a breach is hard, doing the forensics is harder, and understanding the motives of the attacker is harder still.
  • Business outcome - Did a technology mitigate, reduce or simply delay the business impact. Did it tick a compliance control to avoid penalty fees or did it protect IP & customer data?

In the coming months we are going to delve into the economics of security in greater detail. Whilst there are many tools out there discussing security process and ROI tools showing generic return, we all have limited budget and resources. With the scale and scope of security tools continues to grow we must innovate our thinking, in how we each quantify the value of our investments.

 

 

Annual M-Trends Report Looks Beyond the Breach

| By | Advanced Threat Trends, Business of Security, Executive Perspectives, Security Perspective

Since 2010, Mandiant’s annual threat report, “M-Trends” has provided the industry with in-depth analysis and insight based on hundreds of advanced threat investigations conducted during the previous calendar year for the U.S. government, the defense industrial base and commercial organizations. As a leader in combating advanced threats, FireEye stresses the continuous education that needs to take place in order to be one step ahead of attackers. That is why it is with great excitement that I present the fifth installment of M-Trends.

2013 was an explosive year for the cybersecurity industry; a result of Mandiant’s APT1 report, The New York Times breach, and other organizations coming to the forefront to openly discuss their own incidents. In addition, President Obama discussed concerns about cyber-attacks in his annual State of the Union address. This was a huge step for the industry in terms of bringing advanced attacks to the forefront of the nation, and the world’s, attention.

This year’s report compiles incident response trends from hundreds of clients in more than 30 industry sectors. Some highlights include:

  • The time it takes to detect a compromise continues to improve
    The median number of days it takes an organization to discover a network breach dropped to 229 days in 2013 from 243 in 2012. This improvement is incremental relative to the drop from 416 days in 2011. However, organizations can unknowingly be breached for years. The longest time an attacker operated undetected in a network before being discovered was six years and three months in 2013.
  • Organizations are yet to improve their ability to detect breaches
    In 2012, 37 percent of organizations detected breaches on their own. This number dropped only minimally, to just 33 percent in 2013.
  • Phishing emails largely look to capitalize on trust in IT departments
    44 percent of the phishing emails observed in attacks investigated by Mandiant sought to impersonate the IT departments of the target’s workplace. The vast majority of these emails were sent on Tuesday, Wednesday and Thursday.
  • Political conflicts increasingly have cyber components that impact private organizations
    In the past year, Mandiant responded to an increased number of incidents where political conflicts between nations spawned cyber-attacks that impacted the private sector. Specifically, Mandiant investigated incidents where the Syrian Electronic Army (SEA) compromised external-facing websites and social media accounts of organizations with the primary motive of raising awareness for their political cause.
  • Suspected Iran-based threat actors conduct reconnaissance on energy sector and state governments
    Multiple investigations of suspected Iran-based network reconnaissance activity indicates that threat actors are actively engaging in surveillance activities at energy sector companies and state government agencies. While these suspected Iran-based actors appear less capable than other nation-state actors, nothing stands in the way of them testing and improving their capabilities.

Click here to request a copy of the report.

Let us know your thoughts by leaving a comment below.