When I joined Mandiant earlier this year, I was given the
opportunity to help write our annual M-Trends
report. This is the third year Mandiant has published the
report, which is a summary of the trends we’ve observed in our
investigations over the last twelve months.
reading Mandiant’s first
M-Trends report when it came out in 2010 and recall being
surprised that Mandiant didn’t pull any punches. They talked about
the advanced persistent threat or APT (they had been using that term
for several years…long before it was considered a cool marketing,
buzz word), and they were open about the origin of the attacks. The
report summarized what I’d been seeing in industry, and offered
useful insights for detection and response. Needless to say, I
enjoyed the opportunity to work on the latest version.
this year’s report it details six trends we identified in 2011. We
developed the six trends for the report very organically. That is, I
spent quite a few days and nights reading all of the reports from
our outstanding incident response team and wrote about what we
saw-we didn’t start with trends and then look for evidence to
If you haven’t picked up a copy of the report
yet, you can do so here.
I will be blogging on each of the six trends over the next two
weeks; you can even view the videos we’ve developed for each trend
as each blog post is published:
Malware Only Tells Half the Story.
Of the many systems
compromised in each investigation, about half of them were never
touched by attacker malware.
In so many cases, the intruders
logged into systems and took data from them (or used them as a
staging point for exfiltration), but didn’t install tools. It is
ironic that the very systems that hold the data targeted by an
attacker are probably the least likely to have malware installed on
them. While finding the malware used in an intrusion is important,
it is impossible to understand the full scope of an intrusion if
this is the focal point of the investigation. We illustrate actual
examples of this in the graphical spread on pages 6-7 of the
What does this mean for victim organizations?
You could start by looking for malware, but don’t end there! A
smart incident response process will seek to fully understand the
scope of compromise and find all impacted systems in the
environment. This could mean finding the registry entries that
identify lateral movement, traces of deleted .rar files in
unallocated space, or use of a known compromised account. It turns
out that Mandiant has a product
that does all of this, but the footnote on page 5 is the only
mention you’ll see in the entire report (and even that was an
Thoughts and questions about this trend or the