M-Trends 2018 report covers incidents and investigations undertaken by Mandiant, a FireEye subsidiary, from 1st October 2016 to 30th September 2017. The wide ranging report highlights the amount of dwell time, given as the number of days between evidence of an attack to its discovery, the rise of Iranian APT groups, the problems associated with legacy systems and the re-attack rate, defined as companies that were successfully attacked again within a year of a previous significant attack. The figures are given by region and industry, which gives some useful insights, however, the report does suffer from the limitation that it is solely reliant on Mandiant’s industry view, which is acknowledged in the report.
Dwell Time statistics give a concerning view of the threats seen by Mandiant, and is perhaps useful in their marketing. The dwell time statistics show that although a significant amount of threats are detected within 30 days, there are spikes of activity at the three month and year mark. Globally, the median dwell time for 2017 was 101 days, which is the first yearly increase since Mandiant released figures in 2011. This suggests a global detection issue.
The report also details the strategic overview of new APT activity discovered by FireEye, with high-level TTPs covered. APT32 through to APT35 are mentioned, with a separate focus on Iranian actors and APT35.
According to Mandiant, the number of attacks originating from threat actors sponsored by Iran has significantly increased. The group are thought to leverage strategic web compromises (SWC) to ensnare more victims with persistency across multiple organisations for months and sometimes years. Home-grown custom malware is used in both destructive attacks and espionage campaigns. With reference to PUPYRAT, the report details an attack methodology used by the group to steal credentials which even showed a level of adaption to accommodate cloud migration trends, as companies moved to off-premises email solutions.
In a titled “Once a target, always a target” segment, FireEye quantify the subsequent risk of a follow-up significant cyberattack, taken to mean activity that may include data theft, compromised accounts, credential harvesting, lateral movement and spear phishing. Nearly half of customers with at least one significant attack were successfully attacked again within one year. However, there is a big geographical divide in this statistic. Over 91% of Mandiant’s APAC customers with at least one significant attack will have attacker activity within the next year, compared to 44% in the Americas and 47% in EMEA.
High tech, telecommunications, and education top the charts for the number of attack groups and number of significant attacks by different threat actors, although the financial, high tech and healthcare sectors saw the highest number of significant attacks. Although, the industry preference identified could also be to some extent reflective of Mandiant’s customer base rather than pure attack preferences, it supports similar findings by other vendors.