FireEye’s annual M-Trends report finds that financial attacks have reached nation-state level of sophistication
FireEye, Inc has announced the release of its annual M-Trends report which found that attackers are present in EMEA organisations’ networks a median of three and a half months before being detected. The report is based on information gathered during investigations conducted by FireEye’s security analysts in 2016 and uncovers emerging trends and tactics threat actors used to compromise organisations.
“In 2016 we saw cyber-attacks spread widely and publicly into areas such as elections and attackers became more sophisticated. By looking at the dropping levels of dwell time we can see that organisations are improving, but there is still much to do as attackers only need a few days to complete their objectives,” said Stuart McKenzie, Vice President of Mandiant at FireEye. “The improvement is down to increased awareness, technical advances and investments in effective resources. Government enforced schemes like GDPR are also encouraging organisations to get their house in order. However, when compared to the rest of the world, EMEA still lags behind significantly in some areas which boardrooms across the region will have to fix quickly.”
The key findings include: Dwell time of EMEA organisations is 106 days – The median dwell time (the duration a threat actor has in an environment before they are detected) stands at 106 days. This is at least 103 days too long seeing as FireEye experts can obtain access to domain administrator credentials within three days of gaining access to an environment. The median dwell time globally is 99 days, so EMEA organisations are a week slower to respond than the global median. However, the dwell time in EMEA has decreased significantly from the previous M-Trends report, standing at less than a quarter of the 469 days that were recorded in 2015.
Financially motivated threat actors reached new levels of sophistication – These attackers are now as advanced as state-sponsored hackers who were traditionally much more sophisticated. In 2016, financial attackers moved to custom backdoors with a unique configuration for each compromised system, further increased the resilience of their infrastructure, and employed improved counter forensic techniques. One of the most unexpected trends noted in 2016, was attackers calling targets on the phone to help them enable macros in a phishing document or to obtain the personal email address.
The EMEA energy sector faces a high risk - Threat actors are causing disruption by trying to gain proprietary information to advance the capabilities of domestic companies. Additionally, cyber threat groups could target European industrial control systems for potentially disruptive or destructive operations.
Hunting skills more accessible to less experienced analysts - Threat hunting was once a niche skill, but as often happens, those expert skills have become better codified and accessible to less experienced analysts as more training and tooling to support the skill has become available. Threat hunting is now among the most commonly sought skills in defensive security, and the associated training and education markets are shifting to meet this demand.