M A N D I A N T C O N S U LT I N G M-TRENDS 2016 E M E A AUTHORS Bill Hau Matt Penrose Tom Hall Matias Bevilacqua E D I T I O N SPECIAL REPORT / JUNE 2016 SPECIAL REPORT / M-TRENDS EMEA EDITION 2016 1  INTRODUCTION S ince 2010, Mandiant, a FireEye company, has revealed trends, statistics and case studies of cyber attacks involving advanced threat actors. Mandiant Consulting responded to some of the most high profile breaches in Europe, Middle East and Africa (EMEA) in 2015. During this time we collected and analysed statistics and attacker trends from our investigations. This is the first M-Trends reports focused on the EMEA region. It aims to empower organisations and the security community with knowledge of the unique challenges faced in the region by advanced attackers in order for you to improve your security posture. The attack lifecycle model, depicted below, shows the typical phases of an attacker. During a breach, an attacker will usually infect a machine, move laterally within an environment and establish persistence – this eventually leads to completing the mission, usually by stealing sensitive data. This report drills down into the statistics collected during our investigations to give a perspective on the risks faced by organisations in this region. In this report, we will review how our clients discover breaches in the first place, how attackers typically stay hidden in victim environments, how attackers move within a compromised network and how they steal data. The report will then analyse some of the key data points from the previous year and provide some guidance on improving any organisation’s security posture. Figure 1: Attack lifecycle model complemented with classic attacker techniques • • • • • Initial Compromise • Social engineering • Internet-based attack • Via Service Provider Establish Foothold • Custom malware • Command and control • Web-based backdoor Backdoor variants VPN subversion Sleeper malware Account abuse Service Provider Escalate Privileges • Credential theft • Password cracking • “Pass-the-hash” Maintain Presence Lateral Movement Internal Recon • Critical system recon • System, active directory and user enumeration • Password re-use • Net use commands • Reverse shell access Complete Mission • Staging servers • Data consolidation • Data theft SPECIAL REPORT / M-TRENDS EMEA EDITION 2016 2  CONTENTS Introduction 2 Executive Summary 4 By the numbers 5 5 5 What are the challenges? What did Mandiant Consulting observe during investigations? Breach notification 8 8 8 9 What is a breach notification? What is the challenge? What did Mandiant Consulting observe during investigations? Attack vectors 10 Persistence mechanisms 11 11 11 12 12 12 12 What is persistence? What is the challenge? What did Mandiant Consulting observe during investigations? Backdoors Web shells VPN Lateral movement 13 13 13 13 What is lateral movement? What is the challenge? What did Mandiant Consulting observe during investigations? Information stolen 14 14 14 14 What is information stealing? What is the challenge? What did Mandiant Consulting observe during investigations? Steps to improve your security posture 16 Checking for evidence of compromise Responding to a security breach Glossary of terms 16 16 17 SPECIAL REPORT / M-TRENDS EMEA EDITION 2016 3  EXECUTIVE SUMMARY IN FEBRUARY 2016, WE RELEASED OUR ANNUAL M-TRENDS REPORT, THAT TOOK A MACRO LOOK AT TRENDS AND STATISTICS FROM THE BREACHES WE RESPONDED TO IN 2015 FROM AROUND THE WORLD. THIS DOCUMENT TAKES A MICRO LOOK AT THE EUROPE, MIDDLE EAST AND AFRICA (EMEA) BREACHES. The key observations we made for EMEA were: • The median time to discovery of an attack was 469 days after the initial compromise, versus a global median time of 146 days. • Organisations discovered breaches internally 88% of the time, versus a global average of only 47%. • Breach notifications in EMEA by law enforcement agencies or government entities occurred far less than what we see elsewhere in the world. • Mandiant Consulting was engaged by many organisations that have already conducted forensic investigations (internally, or using third parties), but failed to eradicate the attackers from their environments. These observations make it clear that organisations in EMEA should focus on enhancing their overall s