Advanced Attackers go Undetected for a Median of 229 Days; Only One-third of Organizations Identify Breaches on Their Own.
Milpitas, CA -- April 10, 2014 -- FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today’s advanced cyber attacks, today announced the release of the fifth annual Mandiant® M-Trends® report. Compiled from advanced threat investigations conducted by Mandiant in 2013, “Beyond the Breach” details the tactics used by threat actors to compromise organizations and steal data. The report also highlights emerging global threat actors, their suspected motives, as well as the types of targets and information they are after.
“It is hard to overstate how quickly cybersecurity has gone from a niche IT issue to a consumer issue and boardroom priority,” said Kevin Mandia, SVP and COO, FireEye. “Over the past year, Mandiant has seen companies make modest improvements in their ability to attack the security gap. On the positive side, organizations are discovering compromises more quickly, but they still have difficulty detecting said breaches on their own. It is our focus to bridge that gap and continue the positive trends our customers are seeing.”
Based on the incidents investigated by Mandiant in 2013, some of the key findings from “Beyond the Breach” include:
- The time it takes to detect a compromise continues to improve. The median number of days attackers were present on a victim’s network before being discovered dropped to 229 days in 2013 from 243 in 2012. This improvement is incremental relative to the drop from 416 days in 2011, however organizations can be unknowingly breached for years. The longest time an attacker was present before being detected in 2013 was six years and three months.
- Organizations in general are yet to improve their ability to detect breaches. In 2012, 37 percent of organizations detected breaches on their own; this number dropped to just 33 percent in 2013.
- Phishing emails largely look to capitalize on trust in IT departments. 44 percent of the observed phishing emails sought to impersonate the IT departments of the targeted organizations. The vast majority of these emails were sent on Tuesday, Wednesday, and Thursday.
- Political conflicts increasingly have cyber components that impact private organizations. Over the past year, Mandiant responded to an increased number of incidents where political conflicts between nations spawned cyber attacks that impacted the private sector. Specifically, Mandiant responded to incidents where the Syrian Electronic Army (SEA) compromised external-facing websites and social media accounts of private organizations with the primary motive of raising awareness for their political cause.
- Suspected Iran-based threat actors conduct reconnaissance on the energy sector and state government. Multiple investigations at energy sector companies and state government agencies of suspected Iran-based network reconnaissance activity indicates that threat actors are actively engaging in surveillance activities. While these suspected Iran-based actors appear less capable than other nation-state actors, nothing stands in the way of them testing and improving their capabilities.