Security firm FireEye has been publishing its global M-Trends threat report every year for 12 years. With over 9,900 customers across 103 countries, including more than 50 percent of the Forbes Global 2000 and as one of the go-to industry firms for incident response, it has something of a unique insight into security trends. The Stack pulled 5 key takeaways about the threat landscape from FireEye Mandiant’s 2021 M-Trends report.
1: Exploits outstrip phishing as initial vector
Exploits, or explicit abuse of a software or other vulnerability, have become more common than phishing campaigns as a way to breach target networks.
Where the initial vector of compromise was identified, evidence of exploits was found in 29% of intrusions whereas phishing accounted for 23% of intrusions. Mandiant experts meanwhile saw adversaries used stolen credentials or brute forcing as the initial attack vector in 19% of their investigations.
n.b. The top 10 most exploited vulnerabilities of the past four years include a software bug first reported in April 2012, a 2020 report by the FBI and CISA revealed, in yet another reminder that poor patching regimes/legacy software continue to help facilitate data breaches and other malicious intrusions. Get patching, if possible.
2: Dwell times are falling (but not in EMEA)
Dwell times — how long an attacker stays in a compromised network before being either detected or triggering a payload like ransomware — meanwhile have fallen notably. That, in part, is good news: SOCs or others in the IT function responsible for security increased internal incident detection to 59% in 2020: a notable 12-point increase compared to 2019.
Hard numbers? The median dwell time in 2011 was 416 days. In 2021, it had fallen to just 24 days, suggesting a likely combination of several factors including improved endpoint detection and response (EDR) tools, as well strategic decisions by attackers to pull the trigger faster. (EMEA was an anomaly in a global trend of faster detection and/or malware activation, with dwell times increasing from 54 days to 66 days in 2020 on 2019.)
Follow The Stack on LinkedIn
“This return to organizations detecting the majority of intrusions within their environments is in line with the overall trend towards increased internal detection observed over the last decade. It shows a continued dedication to the expansion and enhancement of organic detection and response capabilities,” FireEye said.
But it’s not all good news. As cybercriminals pivot to more complex extortion rackets, they also need to act faster: seeking sensitive information which can “provide enhanced leverage during negotiations” (after a ransomware attack) means the opportunities to detect them increase dramatically. Attackers might go after termination agreements, contracts, medical records and encryption certificates, FireEye notes: “Depending on the organization’s degree of network segmentation, access to the enclaves which would house these data types would require the use of multiple credentials across disparate systems. Each system introduces further opportunities for the attacker to be detected and evicted from the network prior to any theft of sensitive data or activation of encryption tools.”
3 Malware families: Windows-centric + droppers rule.
Of the 514 malware families FireEye began newly tracking in 2020, the top five categories were backdoors (36%), downloaders (16%), droppers (8%), launchers (7%) and ransomware (5%). The vast majority were not publicly available: 81% of newly tracked malware families were non-public; just 19% were publicly available.
The tool most commonly observed was “BEACON”, a backdoor that is commercially available as part of the Cobalt Strike software platform and widely used for penetration-testing network environments. (The other four were Empire: a PowerShell post-exploitation framework; Maze, a ransomware family; Netwalker, another ransomware family; and Metasploit, another widely used penetration testing platform.)
The majority of newly tracked malware families meanwhile were effective just on Windows. Only 8% and 3% of newly tracked malware families were effective on Linux and MacOS, respectively.
4 Threat techniques: Hackers love Powershell.
FireEye maps attacks against the MITRE ATT&CK framework as well as its sub-techniques. The resulting findings make an intriguing read and an important one for Blue Teams — not least for how it reveals that T1190 is the first and most successful port of call for attackers. (Think SQL injection attacks, abusing unpatched RCEs like those for Oracle WebLogic, Pulse Secure VPN, Citrix; breaking through applications with weak security.)
Microsoft’s task automation and configuration management framework PowerShell meanwhile is beloved by attackers as a convenient interface for enumerating and manipulating a host system after the adversary has gained initial code execution. As FireEye Mandiant’s 2021 M-Trends report notes: it is used in over 44% of all tracked attacks. The company notes that adversaries always take advantage of what is available in a victim’s environment, incl. Windows services (used in 31% of intrusions) and Remote Desktop (25% of intrusions).
5: Defenders: Harden up
Skipping down to page 41 of FireEye Mandiant’s 2021 M-Trends report might be useful for security teams.
Some crisp guidance on hardening environments includes the note that too often Mandiant teams see large numbers of highly privileged accounts in Active Directory; “highly privileged non-computer accounts configured with service principal names (SPNs); security controls not configured to minimize the exposure and usage of privileged accounts across endpoints”; and attackers able to modify Group Policy Objects for ransomware deployment.
Tips for the latter include:
Disabling methods that store clear-text credentials in memory on endpoints (such as WDigest and Windows Credential Manager). (“This also includes using a Group Policy configuration to automatically reapply these settings if they were to be modified on the local endpoint by an attacker”)
Enforcing Credential Guard and Remote Credential Guard on Windows 10 and Windows Server 2016+ endpoints; using Microsoft LAPSx4 or other third-party tools to randomise the password for the built-in local administrator account on endpoints; and implementing a tiered model to guide enforcement of guardrails that define where and how privileged accounts can be used. Read the full list here
Many attackers use freely available security tools like BloodHound to map their attack paths. Blue Teams/IT can use them too to get ahead. The Stack featured a handy six tools in the link below.