Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/30/2016
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Business Disruption A Big Focus In 2015 Cyberattacks

In a shift from the low and slow attacks of recent years, many incidents last year were attention seeking and were motivated not just by money, according to Mandiant's annual report.

There’s a bit of an everything-old-is-new-again feel to at least one of the major trends for 2015 in security firm Mandiant Consulting’s recent annual threat report.

As with previous reports, FireEye/Mandiant’s analysis is based on a review of its customer engagements in the past year. The most interesting new trend it discovered over the period was an increase in the number of business disruption attacks its clients suffered. Examples of such attacks included those where corporate data was held for ransom or where the organization itself was held to ransom by attackers threatening to delete data, release it publicly, modify it, or add malware to the data.

In a shift away from the low and slow attacks of recent years, many of the incidents that Mandiant was called in to remediate in 2015 harkened back to older attacks in that they were very public, leaked data, and taunted victims.

Instead of the usual focus on stealth and maintaining access for as long as possible, the attacks that Mandiant investigated in 2015 were deliberately designed to draw public attention to the malicious activity or to data that was compromised. “Some attackers were motivated by money, some claimed to be retaliating for political purposes, and others simply wanted to cause embarrassment,” Mandiant said in its report. 

Publicity-seeking attacks were common a few years ago but have become far less frequent recently. Security researchers have noted how in recent years threat actors have chosen to focus on monetizing their criminal skills and in stealing data rather than displaying their hacking prowess to make a political or social point or to impress peers.

Charles Carmakal, vice president of Mandiant, says that the threat actors responsible for the disruptive attacks typically had very different motivations from those looking to steal data over the long-term.

Disruptive threat actors are motivated by money and fame,” he says. “State-sponsored threat actors tend to steal information that provides economic, military, or political advantage to their countries.”

Usually, such hackers have been careful to avoid disrupting businesses because they want to continue to steal data from their victims he says. 

Digital blackmail schemes were a common occurrence in 2015 among Mandiant’s clients. Such campaigns typically involved situations where an attacker tried to extort money from an organization by threatening to publicly release sensitive data that had been previously stolen from it.

“We’ve observed attackers stealing materially sensitive data, then threatening to release the information publicly, encrypting victim’s data, and conducting denial of service attacks until ransoms were paid,” Carmakal says. In most cases, the ransoms demanded tended to be commensurate with the value of the stolen data, suggesting that attackers had a fine-honed sense of the inherent value of the information.

Mandiant also investigated multiple attacks where the adversaries wiped data from critical business systems, and often the system backup infrastructure as well to keep victims offline, sometimes for weeks. While threat actors have had the ability to take such actions for years, most have refrained from doing so because their focus has been on theft of IP and other data.

“Many of the disruptive attacks that we observed in 2015 appeared to be opportunistic in nature,” Carmakal says. “However, we’ve observed attacks that were clearly targeted and deliberate.”

Somewhat ironically, the disruptive nature of many of the attacks in 2015 may have actually made them easier to spot.

According to Mandiant, last year it took about 146 days on average for organizations to learn they had been breached, or to be notified of one. While that is still a long time, it is better than the 205 days on average it used to take in 2014, and the astonishing 416 days in 2012.

The quicker detection times may be due to a few reasons, including the fact that threat actors are becoming more disruptive, so their malicious actions are more visible and therefore being detected quicker, Carmakal says.

Related stories: 

  

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.