Threat Research Blog

M-Trends on the Importance of Rapid Detection and Response

Every year I look forward to reading the new M-Trends Report. It's a powerful summary of the lessons Mandiant learns from conducting incident response engagements for global clients. The report describes what our teams see in the field. It does not attempt to provide a statistically significant representation of the global population of incident response activity. Rather, it's our best effort to share what we think you should know, derived from first-hand experience at hundreds of clients in more than 30 industry sectors.

With this in mind, I'd like to highlight a few excerpts from the latest edition.

The first set of excerpts update several key metrics seen in previous M-Trends reports.

In 2013, the median number of days attackers were present on a victim network before they were discovered was 229 days, down from 243 days in 2012. The longest presence was 2,287 days.

In 2013, only 33% of the organizations to which Mandiant responded had discovered the intrusion themselves, versus 37% of the organizations we helped in 2012.

These sets of statistics are some of my favorites. Note the term "median," not "average" (or "mean"). The case where a victim suffered a 2,287 day "dwell time" is fairly shocking.

The second set of excerpts are taken from the latest report and talk about Syrian Electronic Army activity.

44% of observed phishing emails were IT related, often attempting to impersonate the targeted company's IT department.

Mandiant's observations of SEA activity over the course of 2013 revealed that the group used two tactics to gain access to victim organizations: sending phishing emails from internal accounts and, starting in August 2013, compromising service providers as a way to target victim organizations.

The SEA sent thousands of phishing emails to a large number of employees over the span of three hours... [With] a success rate of only 0.04%, the phishing emails still allowed the SEA to harvest the credentials necessary to access the targeted resources.

These statements remind us of how phishing remains a powerful tactic. When phishing fails, groups like the SEA have adopted a new tactic - exploiting vendors, business partners, and service providers, as we've seen with other groups.

The last set of excerpts show how time plays a key role in digital defense.



Less than 24 hours after the initial infection, the bot owner upgraded the backdoor to a stealthier version designed to avoid detection by anti-virus (AV) products.

These final excerpts reminds us that time is a critical component in incident response strategy. The first is a timeline of SEA intrusion activity, and the second shows how one intruder upgraded capability within a day of gaining an initial foothold on a victim system. Both M-Trends excerpts remind us that fast detection and response is a viable strategy, so long as we are vigilant and can execute countermeasures faster than the adversary can accomplish his ultimate objective.

What were your favorite parts of the report? What would you like to see in future editions?