Mandiant, the breach remediation and forensics company purchased by FireEye in 2014 and a leader in the cybersecurity technology world, released their “M-Trends 2016” report on their observations from 2015.
Even at 48 pages in length, it is well worth a read -- these are some smart folks who are deeply passionate about cybersecurity. The report highlights some unsurprising facts - there are more disruptive attacks than ever, and state-sponsored attacks are driving a lot of them. But it’s not all bad news: there are solutions to many of the problems that Mandiant highlighted in today’s report.
Breach Detection and Persistence
Let’s start off with the good news. In 2012, the median number of days between breach and discovery of the breach was 416 days (that’s not a typo -- more than a year!). 2014 saw that drop to 205 days, and the latest info for 2015 shows that has dropped to 146 days. Mandiant doesn’t propose any theories as to how this improvement has been achieved, but it’s reasonable to guess that an increased focus (at all management levels) on cybersecurity has brought more resources to the fight, and improved awareness of the likelihood, impact and need to prevent breaches. More focus and more resources mean greater detection capabilities are being deployed across enterprises. Existing software and hardware solutions have also gotten smarter -- more able to report suspicious activity on their own -- and those reports are flowing together into SIEM solutions with greater speed and in greater quantities.
It’s not all good news, though. Mandiant’s Red Team, on average, “is able to obtain access to domain administrator credentials within three days of gaining initial access to an environment”. There are so many vectors to obtain highly-privileged accounts that protecting them is an increasingly tough job. Also, you’re still more likely to have the FBI notify you than to have your Security Operations Center notify you of a breach: 53% of breaches in Mandiant’s 2015 study data were discovered through external notification.
Observation #1 – Credentials, in general Captured credentials remain the most efficient and undetected technique for compromising an enterprise.
It is no surprise that the first observation of security failure trends in the M-Trends report is credentials. Due to the sheer number of attacks available, compromising administrator credentials is still the number one choice for attackers successfully penetrating networks.
These tools are fast, almost impossible to detect by AV, publicly- available, and widely supported. Even with detailed guidance from Microsoft regarding the protection of credentials and the built-in safeguards in modern Windows operating systems, our Red Teams continue to have extraordinary success retrieving credentials from memory and reusing those credentials to move laterally throughout a network.
As reported by FireEye, defending against these attacks has been extremely difficult. It’s easy to bypass AV and once credentials are pulled out of memory you can laterally move from system to system without being detected by modern day IDS solutions. FireEye also noted Mandiant is able to compromise domain administrator credentials within three days of gaining initial network access to an environment.
When we take a look at the Targeted Attack Lifecycle, stealing valid user credentials and privilege escalation are at the core of the attack chain.
Stealth and persistence are key to targeted attacks. A compromised administrator account allows an attacker to silently pivot across multiple systems, perform internal reconnaissance, and ultimately steal targeted data. Shockingly, companies informed of a breach from an external agency (the majority) have been compromised, on average, for 320 days.
To protect against these attacks, FireEye has 2 key recommendations:
- Monitor Use of Privileged Accounts
- Implement Multi-Factor Authentication & Jump Servers
Conclusions and Solutions
2016 promises to be another year of innovation -- on the dark side and the light side -- in the cybersecurity world. Remediant is here to help -- our Privileged Access Management solution, SecureONE, helps you to deliver many of Mandiant’s recommendations.
- Breach detection: SecureONE integrates with your SIEM solution to feed in information about privilege escalation -- successful and unsuccessful, authorized and unauthorized. Correlating these events with other security events across your ecosystem can massively improve your ability to detect breach situations and zero in on vulnerable endpoints.
- Monitor use of Privileged Accounts: It’s 2am -- do you know where the credentials for your highly privileged account are? As Mandiant states in the report, “If you are on an IT or security team, know this: The bad guys are coming for you and they want your credentials”. SecureONE gives you the ability to see exactly when a privileged account is used, by whom. SecureONE can even stop the utilization of a privileged account if the utilization falls outside of established user behavior norms.
- Multifactor Authentication: SecureONE is a minimally disruptive way to implement Multifactor Authentication for your highly-privileged administrator accounts. Average users without privileged accounts see no change at all -- and we designed SecureONE with usability as the first principle. We integrate with nearly any existing second-factor solution, or you can use the built-in second-factor management solution that comes with SecureONE.
- Credential Protection: Instead of relying on Password Vaulting or other shared account approaches, SecureONE reduces your attack surface by reducing the quantity of highly privileged accounts in your ecosystem. This not only makes auditing systems easier, but also protects the credentials of your privileged and non-privileged accounts because they are never shared, nor stored.