CA Communications, Minnetonka, MN :: Business Phones, Communications, Networking, Consulting, Cloud, Wireless

Mandiant M-Report Summary of Threat Landscape

Top 5 Industries Targeted

  • High Tech – 11%
  • Business & Professional Services – 10%
  • Financial Services and Insurance – 9%
  • Media and Entertainment – 9%
  • Retail – 9%

Reduction in number of days compromised before detection

  • 2012 – 416
  • 2014 – 205
  • 2015 – 146

However, the Mandiant Red Team can gain access to domain administrator credentials within 3 days of access to a network, meaning that an average attacker has 143 days to capitalise on the attack. Finding them early is critically important – as soon as they move laterally, or are deceived into interacting with a Trap.

New Trends

Rise in Ransomware – faster identification of unauthorized executable content minimizes the spread of Ransomware to the wider community. TrapX is the only vendor that can do this at scale. Note that the attackers are even delaying the execution of destructive software on Domain Controllers so they can guarantee maximum propagation by allowing authentication services to still be available. They kill the DCs last!

Rise in the bulk export of PII – Personally Identifiable Information is increasingly a massive target. This means that Spin Data is a major selling point for TrapX – through the use of Deception Tokens we can draw attackers to the Crown Jewels! A large, convincing set of user data might even be enough to get an attacker to desist in the attack long enough to buy the users of TrapX's DFIR tool more time to perform forensics on the compromised hosts identified when the Spin Data was accessed!

The exploitation of Network Equipment – TrapX's networking emulation will be of huge value to customers seeking to entice attackers to modify switch images or gain access to running configs on the infrastructure. Attackers are installing backdoors in router images. Spin Data of a directory of router images would be hugely valuable too!

An increase in fast disruptive attacks vs. 'low and slow' – high impact, publicly visible and embarrassing attacks are on the rise. This means that the attackers are seeking to move laterally more quickly, and are more likely to make mistakes and touch TrapX traps! Additionally, many businesses had to resort to paper based systems after production servers were wiped in attacks. This means the costs of these outages in increasing, meaning investments in Deception are easier to justify!

The Main Security Failures

Credentials – poor password discipline, cached credentials and single factor authentication - sell TrapX Spin Data and Deception tokens! Usernames and passwords (particularly administrative ones) are what the attackers will seek out!

Inability to detect targeted attacks – alert fatigue, and poor understanding of how events can be correlated – TrapX correlation events and High Fidelity alerts directly support the beleaguered NOC and SOC analysts and give them priority areas to concentrate on!

Poor Egress Controls – poor enforcement of outbound traffic to known bad IPs, or incomplete monitoring of egress traffic. TrapX's BotNet Detector is excellent at detecting erroneous conversations with bad domains and IPs. We saw some very interesting things (still under investigation) at Unilever, including 306 IPs on a SINGLE egress point talking to a VirusTotal-identified malicious server in the Czech Republic!

Read the full white paper »