Recently you may have heard comments to the effect that “Every major company in the United States has already been penetrated by China,” or “there are two kinds of Fortune 500 companies: those that know they’ve been hacked, and those that don’t yet know”. I thought it might be helpful to share Mandiant’s perspective based on the incident response work we do for our product and professional services customers.
To provide our perspective we need to define a few terms. I’m going to speak using the mind of an enterprise defender. First we need to understand what “hacked” means. One could take a very specific and Advanced Persistent Threat (APT)-centric approach and define “hacked” as “suffering a persistent compromise by actors who actively maintain one or more footholds in an enterprise.” In other words, intruders have continuous access to one or more enterprise systems; defined threat groups can come and go as they please at this very moment. Let us call that “Hacked A.”
One could also take a different approach to defining “hacked” as “a condition during which at least one intruder executed unauthorized malicious code on an enterprise system, or otherwise gained unauthorized access to data, at least once during the course of the past 12 months.” (The 12 month figure is arbitrary, but in my days as a Director of Incident Response I usually spoke to executives in those terms.) Let us call this scenario “Hacked B.”
Based on these definitions and Mandiant’s experience, we can say that approximately 30-40% of the Fortune 500 could bear the label “Hacked A.” If we instead use the “Hacked B” label, that rises to 100%.
Let us briefly address the China comment specifically. Chinese intruders come in different forms. If we chose to think in terms of APT actors, and define “major company” as a Fortune 500 member, then we can use the same 30-40% figure. In other words, our case work and interactions with peers in the field does not support the idea that all Fortune 500 companies are victims of Chinese/APT groups.
Is it possible we are undercounting the 30-40% figure? It is possible, yes. However, at least one of our Fortune 500 Threat Assessment Program engagements in the last 12 months did not identify APT actors in the enterprise being assessed. To be fair, that organization was doing a proactive assessment, i.e., no outside party had notified it that the APT was a problem. Also, that organization did not fit the profile for Chinese APT activity – its industry did not match the named strategic objectives of the Chinese government.
In conclusion, it is important to remember that the Internet can be a dangerous place, but I also recommend keeping a balanced outlook.