In most cases, law enforcement alerted organizations that an intrusion had taken place.
In most cases, law enforcement alerted organizations that an intrusion had taken place.

An annual report by FireEye's incident response unit Mandiant has revealed that organizations suffering a breach often lack the resources to detect the intrusion themselves.

According to the company's M-Trends 2015 threat report published Tuesday (PDF), 69 percent of breached organizations it serviced last year were notified of incidents by an “outside entity.” And, in many cases, the notifying parties weren't security firms like itself, but law enforcement.

“Mandiant consultants' role as the first responders to critical security incidents gives us a unique vantage point into how attackers' motives and tactics are changing,” the report said. “The insights and analysis presented here represent our combined experience over the course of hundreds of service engagements.”

Over the past several months, FireEye's Mandiant division has been called in to probe a number of high-profile breaches striking corporations, including those impacting Sony Pictures Entertainment, Anthem and JPMorgan Chase.

Matt Hastings, senior consultant at Mandiant, told SCMagazine.com in an interview that the length of time attackers remained in breached environments, before being detected, was troubling as well.

Last year, it took organizations a median of 205 days to detect attackers in their IT environments. In 2013, organizations were even slower to detect saboteurs, taking a medium of 229 days, the report revealed. While detection times improved, attackers were still in victim's environments for “far too long” in 2014, the report said – the equivalent of nearly seven months.

“In 205 days, an adversary can certainly do a lot of damage or steal a lot of information,” Hastings said.

He later added that, while organizations may not be able to prevent every cyber attack, particularly those originating from a targeted or nation state actor, firms should “make it harder for the attacker to move around in their network,” so security respondents can get that number down to a “reasonable timeframe.”

The M-Trends report noted that most incidents followed a similar pattern, or attack lifecycle.

Mandiant said that in 2014 it observed more intrusions where hackers hijacked virtual private networks (VPNs) to maintain access to targeted environments. In addition, a “small number of threat groups” used Windows Management Instrumentation (WMI), a Windows component providing a broad set of system management capabilities and interfaces, to “maintain a covert presence” on networks, the report said.

Attackers typically used PowerShell commands to create WMI event objects, the report explained, noting later that WMI and PowerShell were also used for lateral movement by advanced persistent threat (APT) groups.

“More often than before, these groups are using WMI and PowerShell to move laterally, harvest credentials, and search for useful information within Windows environments,” the report said. “In the same way, many security researchers and penetration-testing tools have adopted PowerShell over the past several years. The result has been more publicly available information and source code from with both attackers and defenders can learn.”

Mandiant consultant Hastings said in his interview that organizations should also take note of tried-and-true infiltration methods, such as phishing attacks.

The report said that 78 percent of observed phishing emails were IT or security related, “often attempting to impersonate the targeted company's IT department or an anti-virus vendor.”

“That's up by roughly 30 percent from last year,” Hastings noted of IT-themed phishing ruses. “They are taking notice of what's working, and what types of emails are making them more successful.”