“With no diplomatic solution in sight, the ability to detect and respond to attacks has never been more important,” the report said.
Businesses need to recognise that security breaches are now inevitable, and they need to be prepared to deal with a breach when it happens, said Jason Steer, director of security strategy at FireEye.
“Our experience tells us just about every organisation is compromised, and that few are prepared for the battle,” he told Computer Weekly.
US businesses are ahead in realising they need a more comprehensive approach that goes beyond security products, but European businesses are starting to come around to this view, said Steer.
The potential targets for cyber attacks has increased, the report notes, with cyber threat actors expanding the use of computer network exploitation beyond data theft to include economic and political objectives.
“They are also looking for ways to publicise their views, cause physical destruction, and influence global decision makers,” the report said.
Over the last year, Mandiant responded to an increased number of incidents where political conflicts between nations spawned cyber attacks that impacted the private sector.
More on FireEye
- FireEye acquires Mandiant in $1bn deal
- FireEye announces pricing of IPO
- FireEye discovers rapidly growing class of mobile threats
- FireEye finds active watering hole attack using IE zero-day exploit
- FireEye security researchers unearth two IE zero-days
- Networking blogs: FireEye nets Mandiant to cap cybersecurity strategy
- FireEye report points to growing significance of in-memory attacks
- LogRhythm and FireEye announce partnership
Specifically, Mandiant responded to incidents where the Syrian Electronic Army (SEA) hacktivist group compromised websites and social media accounts of private organisations with the primary motive of raising awareness for their political cause.
Multiple investigations at energy sector companies and state government agencies of suspected Iran-based network reconnaissance activity indicates that threat actors are actively engaging in surveillance activities.
While these suspected Iran-based actors appear less capable than other nation-state actors, nothing stands in the way of them testing and improving their capabilities, the report said.
“It is hard to overstate how quickly cybersecurity has gone from a niche IT issue to a consumer issue and boardroom priority,” said Kevin Mandia, senior vice-president and chief operating officer at FireEye.
“Over the past year, Mandiant has seen companies make modest improvements in their ability to attack the security gap.
“On the positive side, organisations are discovering compromises more quickly, but they still have difficulty detecting said breaches on their own,” he said.
Based on the incidents investigated by Mandiant in 2013, the report highlights that the time taken by companies to detect a breach continues to improve.
The median number of days attackers were present on a victim’s network before being discovered dropped to 229 days in 2013 from 243 in 2012, which in turn was a drop from 416 days in 2011.
While organisations are detecting compromises two weeks sooner than they did a year ago, they are less likely to discover a breach on their own compared to a year ago.
The report said organisations can be unknowingly breached for years. The longest time an attacker was present before being detected in 2013 was six years and three months.
The report said that in general organisations are yet to improve their ability to detect breaches.
In 2012, some 37% of organisations detected breaches on their own, but this dropped to just 33% in 2013. This means 67% of victims were aware of breaches only after being notified by a third party.
Another key trend highlighted by the report is that phishing emails are increasingly designed to capitalise on trust in IT departments.
The report said 44% of the observed phishing emails attempting to impersonate the IT departments of the targeted organisations.
In 2013, Mandiant responded to a growing number of financial theft incidents, many of which targeted the retail sector.
In each of the incidents investigated, a third party – typically one of the major banks or card brands – had notified the retailers of the compromise.
In the light of increase attack on the retail sector, the report recommends that retailers:
- Implement strict network segmentation of the systems that handle cardholder data
- Require two-factor authentication
- Manage privileged accounts with access to cardholder data
- Employ the principle of “least privilege” to all account and group permissions
- Encrypt cardholder data
- Secure endpoints by implementing application whitelisting
- Patch all third-party applications and operating systems
- Install an endpoint threat detection and response system
- Implementing a file-monitoring system to tracks when files have been created on a system
- Actively monitor systems for abnormal activity
“Too many organisations are still looking for security products to solve their problems, but this approach is no longer working,” said Steer.
They should also be thinking about how to architect their networks better, improve user education, and how to improve their ability to contain and remediate attacks.
“Organisations need to rethink their combination of products, people and processes to enable them to deal with attacks better and more cost effectively, rather than relying on security products alone,” he said.
Businesses should be asking themselves what people and systems are at most risk and put extra controls and mitigations around them to minimise the impact of attacks.
They should also be asking how well prepared they are detect and fix breaches when they happen, and how well they can enable users and business processes to get back up and running quickly.