Last week Mandiant produced their report entitled ‘Mandiant APT1 report’ that was widely covered by global media and essentially exposed a ring in China allegedly responsible for APT attacks. To many, this in itself is startling news and there have been many stories pointing the finger at hackers in China.
However, on reading the report an interesting statistic about how long APT1 were in organizations stands out. We know from the 2012 Verizon Data Breach Report that breaches lead to compromise much faster than companies can discover them. Security tools are slow, lack visibility and are too often perimeter and signature-based to detect the presence of cyber activity. Here’s a quote from the report:
“APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.”
The challenge for all organizations is that they rely on obsolete technology or signature-based detection systems which are really not adequate for these types of attacks.
Disparate security tools are unable to identify and investigate advanced attacks in a timely manner and SIEM tools have either speed or smarts, but never both. Furthermore, large amounts of blind spots combined with a large window of risk from an attack allows attackers too much free time on the network. Organizations must have a target to reduce the ‘free time’ or ‘dwell time’ in an APT attack, early detection and remediation will minimize the damage. Proving compliance also costs too much and takes resources away from improving security against targeted attacks and we all know that being compliant doesn’t translate to being secure.
Until companies change the status quo and implement Intelligence-Driven security models we will continue to see compromises over long periods of time without companies even realizing they are hosting cybercriminals in their infrastructures. Final thought – Did the company that had APT1 in their network for 4 years and 10 months actually find the attack and stop it? Or did the attackers just get bored? My money is on the latter.