One of Mandiant’s jobs is to conduct security forensic investigations for companies. They found 48 of the last 50 investigations they conducted, the businesses involved didn’t know they suffered from a breach until informed by law enforcement agencies.
Advanced attacks, once reserved for government agencies, now see use with greater frequency against businesses, Mandiant Chief Executive Kevin Mandia testified before a House Intelligence Committee. Attackers have also become expert at using malware to compromise legitimate networks, then using them to launch botnet-driven attacks against other targets.
3 Face Hacking Charges in AZ, CA
White House Fights Cyber Organized Crime
U.S. Outlines Cyber Security Plan
White House Invests in Smart Grid, Security
Critical Infrastructure Must Submit Plans
In addition, attackers are getting better at routing around known security defenses.
“We routinely witness attackers circumvent conventional safeguards deployed to prevent and detect security breaches,” Mandia said. “Virtually all of these intrusions belong to the growing subset of advanced threats that usually evade off-the-shelf technologies that American corporations rely upon — oftentimes exclusively — for their defense.”
That combination of factors can help explain why businesses have been getting worse at detecting breaches.
“I’ve been tracking how organizations detect that they’ve had a breach since 1998,” Mandia said. Initially, businesses spotted when they’d been attacked. But by 2004, he said attack-detection rates declined, with only 20% of businesses spotting when they’d been hacked. Based on recent breaches, the detection rate has fallen to just 4%.
Why are law enforcement agencies spotting so many breaches, while businesses remain in the dark?
“During normal law enforcement tradecraft, the FBI in particular is learning so much about the adversary that they’re seeing downstream victims. And each military branch is doing it as well. The Air Force, Army, and Navy are also learning a lot more about the threats than the private sector is,” Mandia said. Primarily, he sees the FBI, as well as the Defense Criminal Investigative Service (DCIS) and the Naval Criminal Investigative Service (NCIS), reaching out to inform businesses they’ve been hacked.
Law enforcement agencies are alerting businesses they have suffered a breach more frequently these days. “It’s often the case now that the FBI is informing people that they’ve been victimized, rather than victims coming to the FBI,” said Steven Chabinsky, deputy assistant director of the FBI’s cyber division.
For businesses to better resist these attacks, they’d ideally have access to the threat intelligence produced by government agencies. But such information-sharing today is virtually nonexistent. “Let me be clear: This stuff is overprotected. It is far easier to learn about physical threats to the U.S. from U.S. government agencies than it is to learn about cyber threats,” Michael Hayden, a former director of both the CIA and NSA, told the committee.
“Basically the private sector is hemorrhaging intellectual property now based on a series of online intrusions, and they can’t do anything about it,” Mandia said.