Magazine Button
Mandiant M-Trends Report from FireEye reveals positive and negative trends

Mandiant M-Trends Report from FireEye reveals positive and negative trends

ResearchTop Stories
The Mandiant M-Trends Report shares statistics and insights gleaned from Mandiant investigations around the globe in 2018

A new report reveals both good and bad news about emerging cybersecurity trends. Mohammed Abukhater, Vice President – MEA at FireEye, gives us the lowdown on decreasing detection times, evolving threats from nation-states and increased attacks during M&A activity.

FireEye, the intelligence-led security company, has released the Mandiant M-Trends 2019 Report. The report shares statistics and insights gleaned from Mandiant investigations around the globe in 2018.

Key findings include:

  • Dwell time decreasing as organisations improve detection capabilities – In 2017, the median duration between the start of an intrusion and the identification by an internal team was 57.5 days. In 2018 this duration decreased to 50.5 days. While organisations are getting better and faster at discovering breaches internally, rather than being notified by an outside source such as law enforcement, there has also been a rise in disruptive, ransom or otherwise immediately visible attacks. The global median dwell time before any detection, external or internal, has also decreased by more than a month – going from 101 days in 2017 to 78 days in 2018. The same measurement was as high as 416 days back in 2011.
  • Nation-state threat actors are continuing to evolve and change– Through ongoing tracking of threat actors from North Korea, Russia, China, Iran, and other countries, FireEye has observed these actors continually enhancing their capabilities and changing their targets in alignment with their political and economic agendas. Significant investments have provided these actors with more sophisticated tactics, tools, and procedures, with some becoming more aggressive, and others better at hiding and staying persistent for longer periods of time.
  • Attackers are becoming increasingly persistent– FireEye data provides evidence that organisations which have been victims of a targeted compromise are likely to be targeted again. Global data from 2018 found that 64% of all FireEye managed detection and response customers who were previously Mandiant incident response clients were targeted again in the past 19 months by the same or similarly motivated attack group, up from 56% in 2017.
  • Many attack vectors used to get to targets, including M&A activity – Attacker activity touches countries across the globe. Among them, FireEye observed an increase in compromises through phishing attacks during mergers and acquisitions (M&A) activity. Attackers are also targeting data in the cloud, including cloud providers, telecoms, and other service providers, in addition to re-targeting past victim organisations.

We asked Mohammed Abukhater, Vice President – MEA at FireEye, further questions about the report.

Mohammed Abukhater, Vice President – MEA at FireEye


The report says in 2018 the median duration between the start of an intrusion and its identification by an internal team was 57.5 days. This has been decreasing in recent times. Why is this?

The dwell time usually is a sign where we ask ‘is this organisation mature enough to detect and contain a breach?’ I see the decrease (in time taken to detect a breach) as the biggest positive in our M-Trends Report for the past year.

The other fact we need to highlight is 60% of the breaches were discovered by internal teams rather than external ones. There has been a shift from 2011 year on year. You can see there has been a big increase in terms of detection by the internal team.

This could be related to many reasons, one is the increase in the maturity of organisations for different aspects; one being in terms of process – they have enhanced their processes in terms of handling breaches.

Another factor is the investment in talent. More organisations tend to hire talented resources who specialise in cybersecurity. Some of the countries in the Gulf area tend to hire local or national resources to keep the confidentiality of the data and they have invested heavily since the beginning of 2018 in training their local nationals.

Should organisations take comfort from the fact that there are third-party organisations detecting data breaches?

Countries across the globe have started to establish entities owned by the government to look after national cybersecurity.

These are what we call the external or third-party agencies or entities. In the past year we have noticed countries in the Middle East, or more specifically in the GCC, have built an entity to manage the national cybersecurity strategy and they managed to create many restrictions especially for Government organisations or organisations that will have an impact on national productivity or national security.

This is good. I feel that this has given comfort to organisations to see that each government can give guidelines in how to tackle the shift in the sophistication of cyberattacks. But if you look to me as a cyber-specialist I don’t think this is really something we should take comfort from.

In reality we still need third-party agencies to help identify these attacks and notify organisations. But we hope that this should decrease as much as possible so we reach a point where we don’t need a third-party agency any more to notify other organisations about data breaches.

This is because if they are notified by a third-party agency this means they are already exposed which means it’s too late. So I don’t think organisations should take comfort if they are notified by a third-party agency that its data is exposed.

The report mentions nation state threat actors. In recent years how have they become more aggressive and persistent?

In 2018 we saw more attacks that were made public and attributed to nation states like the Iranian group that is believed to be linked to the Iranian Government or the Chinese group that we believe is linked to the Chinese government.

Such groups have managed to secure huge funds in terms of money and logistics from governments that help them to upscale their skills. This has helped the groups to specialise and go after certain targets so they can have a focus on different industries.

We heard about the attacks on the aviation sector, the attacks on the banks, and other attacks that went after specific needs either to effect a certain deal that might happen or effect the operations of a country so it could help a military strike or things like that.

So that’s really a good reason why we see more sophistication from those bodies as they are getting more sponsored from governments.

Are the main threat actors Iran, China, North Korea and Russia?

Yes. These are the most active countries. As FireEye and the consultants from the Mandiant team have found most of the time many of the threat actors are linked to these countries.

Are any countries in the Middle East particularly under threat?

Actually no. Every Middle East country has been targeted in the past year. But there are many attacks that are not announced to the public due to sensitivity or due to the culture so no one has been immune from the attacks in 2018.

The report says organisations which have been victims of a targeted compromise are likely to be targeted again. Why is this?

If you were breached once this means that someone was inside your organisation. From our experience when most of the hackers get into a network they don’t rely on one way of getting inside the victim network so they always leave a way back inside those organisations.

If an organisation is targeted it means it is important whether that’s financially, industrially or politically. This means another group could come with a new technique to get inside this network too to get additional information or get money.

If you look at the history you will find that most of the banks in the region were targeted many times in many different ways so sometimes they will try and compromise their money transfer system or try another technique that will lead to denial of service. These things are a motive for all of these hackers to come back and get inside the network.

Another fact that I want to highlight here is as we progress into the emerging technologies like Blockchain and AI, these are lacking security measures and they will take time to mature from a security point of view and this will help hackers.

Why is there an increase in phishing attacks during mergers and acquisitions (M&A) activity?

When you look to the mergers that have happened or the acquisitions, they are usually very large organisations that acquire smaller organisations. They are not all at the same security level.

We need to look at the reasons for acquisitions and mergers. Some of them are for financial reasons, some of them are for technology reasons. Some government organisations, for example, acquire a technology organisation so they can have an in-house service.

This gives hackers, one way or another, an opportunity to get into the mother company. In the smaller company you could have employees who are not at the same level of maturity. The easiest way to reach those people is by email.

From one to three years following the merger, there is an opportunity for hackers to utilise a lack of sync between the two organisations to get inside the network. One click on a phishing email and the hacker can get inside an organisation.

Why is data in the cloud being targeted?

If you go back to why people go to cloud it is to have many things in one place which is accessible by many people, that is the origin of having a third-party host for an organisation’s data so its mobile users and multi-branch offices can reach the same place within a minimal cost and at the same time.

The problem with cloud security is the hosts are usually not at the same level of security. The cloud is still breachable from the hackers because not all cloud infrastructure is secure 100%. A lot of the cloud providers do not have a security background, they have a storage background so this helps the hackers.

The other thing is cloud means a lot of things. Cloud means a lot of data which means it is a juicy target for the hackers to go inside those networks where they can get the data easily.

Many cloud providers have third, forth or even fifth party bodies that are engaged into building their infrastructure. Some of the breaches that happen is through one of their third-party bodies.

Click below to share this article