There was some good news reported in Mandiant's M-Trends 2017 report, but this was heavily outweighed by many negative points discovered by the security firm, including cybercriminals being found to use more sophisticated methods and the slow evolution of defensive measures on the part of their victims..
Mandiant, which is a Fireye company, found that in 2016 companies are becoming better at identifying breaches with the average number of days between being compromised and discovery now at 99 day, down from 146 days in 2015. However, Mandiant noted this length of time is more than sufficient for a malicious actor to inflict damage or make off with data. At the same time some cybercriminals have increased their skillset to being comparable to that of a state-level actor.
“As we noted in M-Trends 2016, Mandiant's Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment, so 99 days is still 96 days too long,” wrote Jurgen Kutscher, Mandiant threat researcher.
The bad guys going after the financial sector were particularly showing some impressive chops in 2016 not only becoming more sophisticated and aggressive, but not being shy about trying out new tactics. One such trick was going old school and calling their victims on the phone as part of the social engineering aspect of their scam.
“Perhaps the most unexpected trend we observed in 2016 is attackers calling targets on the telephone to help them enable macros in a phishing document or obtain the personal email address of an employee to circumvent controls protecting corporate email accounts,” the report stated.
Despite some improvement taking place last year, Mandiant noted that victimized companies, and even those trying too hard to shore up their cyber defenses are not moving quickly enough. In most of the incidents the cybersecurity firm investigated it found a general lack of basic cybersecurity controls and capabilities in place that could either stop the attack or help limit the damage.
“Based on our observations of trends from the past several years, organizations must adopt a posture of continuous cyber security, risk evaluation and defensive adaptation or they risk significant gaps in both fundamental security controls and – more critically – visibility and detection of targeted attacks,” the report recommended.
In 2016 cybercriminals not only became better at their job, but continued to alter the style of their attacks, becoming more subtle. Mandiant said that in 2013 most attacks against financial institutions were all about getting in and out as quickly as possible with little regard given to whether or not they were discovered. This was due, in part to, to the rather crude tools and low skill level of those conducting the raid.
This began to change in 2014 with a more mature style of attack taking place.
“Based on our observations of trends from the past several years, organizations
must adopt a posture of continuous cyber security, risk evaluation and defensive adaptation or they risk significant gaps in both fundamental security controls and – more critically – visibility and detection of targeted attacks,” Mandiant stated.
By 2016 attackers stepped up to using custom backdoors and further increased the resilience of their command and control infrastructure so as to maintain a presence and counter forensic techniques.