Mandiant 2015 M-Trends report: malicious actors spent a median of six months on breached systems before detection

Mandiant’s new M-Trends report (M-Trends 2015: A View from the Front Lines) examined 2014’s “seemingly never-ending series of breach disclosures” to discern common trends. It concludes that “organizations should consider data breaches… a business reality”, and that, although the threat landscape is becoming more complex, “far too many organizations were unprepared for the inevitable breach, allowing attackers to linger far too long in compromised environments.”

The report found that:

  • Breached companies typically don’t know they’ve been breached until notified by a third party – often months after the initial incident. According to Mandiant’s research, only 31% of breaches were detected internally; 69% of breached companies were notified by a third party, “such as a supplier, customer, or law enforcement”.
  • Criminals spend a long time undetected in breached environments. The median number of days that threat groups were present on a victim’s network before detection was 205; the longest undetected presence on a hacked system was 2,982 days.
  • Hackers are targeting a wider selection of victims. The “Business & Professional Services” sector was hardest hit in 2014 (with 17% of intrusions), followed by “Retail” (14% – up from 4% in 2013) and “Financial Services” (10%). The “Government & International Organizations” and “Healthcare” sectors also emerged as notable targets.
  • More entities than ever disclosed breaches in 2014, but victims struggled to provide enough information about incidents. “The press, customers, and partners… are demanding more information – and asking more detailed questions. To prepare, organizations need an effective communication strategy.”
  • Criminals and APT actors are emulating each other’s methods, and it is often hard to distinguish between the two. “As the tools, techniques, and procedures of criminal and APT actors coalesce, you must scrutinize actors’ intent and motivations. Only then can you properly assess the potential impacts of security incidents, respond appropriately, and create a security strategy appropriate for the threats you face.”

If the threat landscape in 2015 continues to evolve according to these patterns – and there’s no reason to suppose it won’t – then major breach incidents will continue to increase in number and severity, and organisations will remain unable to prevent, detect or react to them.

Aiming for a secure 2015

As the report concludes: “No one can prevent every breach. But by preventing, detecting, analyzing, and responding to the most advanced threats quickly and effectively, you can protect yourself, your customers, and your partners from the headline-generating consequences… [With] the right mix of technology, intelligence, and expertise, organizations can begin to close the security gap.”

ISO 27001

The best way for organisations “to close the security gap” is to implement a best-practice approach to information security. The international standard ISO 27001 sets out the requirements of an information security management system (ISMS), which addresses people, processes and technology, and will provide all organisations with an enterprise-wide information security methodology that enables them to mitigate information security threats.

IT Governance’s ISO 27001 Packaged Solutions provide ISMS implementation resources and guidance suitable for all organisations, whatever their budget.

If you want a secure 2015, click here for more free information >>

ISO27001PackagedSolutions-banner