The equivalent of 469 days is the time frame needed by the European organizations to detect an incident that collapsed their entire information security infrastructure. Approximately 10 months plus, than the average registered globally (146 days).
Mandiant M – Trends, a company purchased by FireEye at the beginning of 2014 that specializes in providing services for information security threats detection, has recently published the first report on security breaches, dedicated exclusively for the EMEA region (Europe , Middle East , Africa ) that Romania is also part of.
What are the research results? According to Mandiant, the average values for an organization that has suffered a security breach are:
- 40 affected systems (workstations or servers);
- 6 GB of stolen data;
- 37 compromised user accounts and 7 administrator accounts;
- 469 days required, on average, to detect an incident.
The FireEye/Mandiant report shows that the almost 15 months are enough time for a big information attack to produce, by allowing the hackers to meet various objectives. During this time, they can migrate without any restriction from a simple malware infection undetected on time, to creating a remote access method (by installing web shells or backdoors applications).
The report emphasizes the fact that the EMEA organizations do predominantly internal analysis for the security and integration level of the information infrastructure, for a limited number of systems. This doesn’t allow them to detect on time the security incident, its ampleness or the uncovered purposes followed by the attackers. The results demonstrate the fact that the traditional method for detecting the security problems based on “follow the clue” principle and on the analysis of a limited number of systems is inadequate. That fact that from the 40.167 workstations analyzed in total, only 40 stations per compromised organization were found to be affected (0.001 % of the total) show that the attackers managed to maintain a smaller and smaller footprint in the IT infrastructure of the affected companies – to avoid their detection.
The analysis of the ongoing penetration of the security systems revealed that, once provisioned the access in the victim’s infrastructure, one of the favorite targets of the hackers are the credentials of the system administrators, to be able to take over the control of the applications and databases, but also to protect themselves against possible changes of the authentication data. (Mandiant specialists conducted penetration tests which have demonstrated that they need more than 3 days to get the credentials of IT administrators to access targeted information.)
The FireEye/Mandiant has also made clear an important limitation of the classic security strategies: the organizations are concentrating their efforts on the protection against possible outside menaces (inbound traffic), from which they protect themselves with Firewall solutions, Intrusion Detection systems, etc. The majority of companies neglect though, the inside to outside traffic (outbound traffic) generated by the already compromised working stations and servers.
This is a lean measure due to the fact that proxy servers and external DNS services offer protection not only against common threats and malware with reduced potential risc, the detecting capabilities being similar with the ones used by classic antivirus technologies that utilize signatures of libraries to block the activity of the already known menaces. The problems preponderantly appear when the attackers modify the regular malware menaces just a few days before the attack launching. The advanced attacks use “personalized” threats, which cannot be discovered by the regular systems, being unknown to the antivirus solutions and remaining undetected on the proxy servers black lists. The FireEye / Mandiant analysis insists on the fact that, in the EMEA area, the organizations are mainly based on their internal capabilities in detecting the threats, rarely referring to other external source of analysis and detection of potential security risks. The report identifies that the fact that only 12% of the organizations in the EMEA reach for external sources to detect their problems is one of the main reasons of the 469 days left from the collapsing moment to the detection point.
The causes are various, of external and internal nature. On one hand is about the accelerated evolution of the volume of information attacks, that are diversifying and continue to develop in complexity. On the other hand, many companies use inadequate and / or outdated security solutions from a technological point of view and register a chronical deficit of internal competences and concrete experience in this area. At this amount of factors, in the last years a major and important challenge was added, often seen in large and medium organizations – the misconception security feeling. The contradiction between the organizations’ perception and the real situations is due, mainly, to the reduced visibility of the risk degree that information infrastructure are exposed to. For example, according to Cisco security report of 2016, 92% from the equipment connected to the Internet have known vulnerabilities, while for the old IT infrastructures, 31% from the utilized equipment don’t benefit from updates anymore.
This kind of information is well known at top management level in the majority of organizations. But the effects of security flows are visible. And even though not all companies are publicly revealing the security incidents together with the collateral damages they have suffered, the balance of positive auto evaluation decreases slowly and surely. For instance, at the level of top managers responsible with information security. The quoted Cisco report shows that this year, only 45% of the IT managers trust the protection systems they use(unlike 59% in 2015 and 64% in 2014). And it is not the only warning signal on this matter: the last year edition of Cyber Security Poverty Index, RSA study that evaluated the level of maturity of the protection programs utilized by organizations, revealed the fact that 75% of the respondent considered themselves “immature”.
There are clear signals that perception started to change. But, to achieve concrete results in the field of information security, it is necessary, in a first phase, that the real decision makers are aware of the risk faced by organizations.
Mandiant Consulting: M-Trends 2016, EMEA edition (www2.fireeye.com/rs/848-DID-242/images/Mtrends2016EMEA_LR.pdf)
Cisco 2016 Annual Security Report (www.cisco.com/c/en/us/products/security/annual_security_report.html)
RSA Cybersecurity Poverty Index 2015 (www.emc.com/collateral/ebook/rsa-cybersecurity-poverty-index-ebook.pdf)