Mandiant recently published their M-Trends 2020 report. The M-Trends report is a yearly report that contains insights, trends and statistics based on Mandiant’s incident investigations. By analyzing and review trends and insights amongst real-world breaches and incidents, organizations and vendors alike are able to shift their focus to detect, deter, and prevent breaches. This information arms security teams with the knowledge they need to defend against today’s most often used cyber-attacks.

Detection and Response

The median dwell time (the time to detect a breach) in this year’s report was 56 days, which is down from 78-days in previous year. This indicates the information security industry is improving the capabilities to detect breaches and unwanted actors within a network. Considering the number was 416 days in 2011, the industry has made great improvements in the past decade. Examining whether incidents were detected internally by the victim organization or an external third-party (such as a vendor) reveals an increase in external detections by 12%, and external detections exceeded internal detections. This doesn’t indicate a decrease in internal capabilities, but is likely to do vendors detection capabilities and potentially law enforcement requirements for reporting incidents.

One factor of note for dwell times is the fact that ransomware attacks have low dwell time as they are disruptive in nature and more likely to be noticed. The MITRE ATT&CK framework has over 300 unique tactics, techniques and procedures (TTPs). Last year’s investigations saw only 40% of these TTPs observed in real-world incidents. Examining malware involved in incidents, 41% of malware families had never been seen before, but the TTPs used by malware remain largely unchanged. This underlines how successful the underlying techniques are; adversaries are modifying their toolsets to avoid detection of known malware families by still performing the same attacks. The majority of malware is purposed for performing privilege escalation and lateral movement, of which RDP is the most common lateral movement technique.

Initial Compromise and Attacks

While email phishing remains popular over time, the payloads and goals to accomplish through phishing has evolved. Instead of malicious attached documents, most attackers aim to obtain valid credentials. Of the top five most common initial compromise techniques three involve Valid Access. This typically means an attacker compromises credentials and uses valid credentials to gain access such as through email, VPN, or other remote access. External services and public-facing applications were the two most common initial compromise access points. Multifactor authentication is strongly recommended on all externally exposed services. PowerShell is the most common execution techniques used to establish footholds, disabling PowerShell has become a trend and recommendation in the past couple of years due to its capabilities for attackers to abuse and that it is largely not required by end users and easily disabled across organizations.

As organizations adopt more cloud services and infrastructure the security of cloud becomes increasingly important. The report noted an increase in incidents involving cloud environments, and evidence indicates that attackers cloud skills are improving, reiterating that attackers are constantly evolving to stay ahead. For incidents involving AWS environments, the majority of incidents involved compromised credentials. As organizations adopt hybrid cloud environments they should be providing and mandating cloud security training to ensure staff are properly trained to regarding the unique security risks of cloud environments.

Financial motivation and nation-state espionage are the two largest motivations for threat actors. In order of most popular to least, the top five sectors targeted are Entertainment/media, Financial services, Government, Business/Professional services and Construction/Engineering. The report notes an increase in malicious insider attacks; insider threats are particularly challenging as perpetrator’s are trusted and are uniquely positioned. Malicious insiders were most likely to be financially motivated and achieve their goals by stealing information and using it for blackmail, or extortion. Employing models of least privileges with strict access controls and data loss prevention can help hinder internal actors. Recently UK police have warned businesses about rogue cleaners and staff.

Organizations that experienced an incident were later re-attacked within 1 year in 31% of the cases investigated, demonstrating how important it is that organizations have incident response plans to identify and eradicate attackers, and remediate vulnerabilities and misconfigurations that attackers can exploit. At Packetlabs we believe an ounce of prevention is worth a pound of cure. Penetration testing helps organizations identify vulnerabilities before they are exploited by attackers, helping prevent incidents from occurring in the first place.