When cyberthieves attack, it takes months for anyone in the victimized organization to spot the breach — and increasingly, that doesn’t happen until law enforcement, banks or other outsiders flag an apparent problem, according to a new report by security company Mandiant.
Mandiant’s “M-Trends 2015” report, which was released Tuesday (Feb. 24), found that the median time to detect a breach in 2014 was 205 days (just over six months), down from 229 days (almost eight months) in 2013. But part of the reason for the slightly quicker discovery may be that 69 percent of the breached organizations learned of the breach from outsiders, up from 67 percent in 2014 and 63 percent in 2012.
Breaches the company investigated in 2014 showed a big jump in retailers — 14 percent of Mandiant’s investigations, up from 4 percent the year before — along with major increases in incidents affecting business and professional services companies (17 percent), government and international organizations (7 percent), and health care (6 percent). Media and entertainment companies showed the biggest drop, falling to 8 percent from 13 percent in 2013 (although Mandiant was called in on the biggest attack of the year in that category, the Sony Pictures breach).
While attackers used a variety of technical attacks, fake emails remained a highly successful way to steal passwords. Increasingly, those phishing messages pretend to come from IT departments or security vendors; 78 percent of the phishing messages Mandiant saw were in that category.
And once cyberthieves were into a retailer’s network, they had very little difficulty roaming around in it at will, even when the thieves were apparently not very technically sophisticated.
“We saw everything from novice attackers who used publicly available tools to more advanced groups wielding sophisticated card-harvesting malware tailored to specific POS applications,” the report said. “Regardless of skill — or lack thereof — novice attack groups proved as effective at stealing cardholder data as their more advanced counterparts. Each attack group moved undetected throughout victims’ environments, gained access to the POS systems, and installed card-harvesting malware.”
Mandiant’s specific advice to retailers and other payment-accepting organizations is to secure remote access to its systems with two-factor authentication, tighten security on any access to systems that process payment-card data, deploy application whitelisting on critical IT assets, and to add security management to accounts with special privileges such as system administrators.