M Trends 2020

Behind the Scenes: Crimeware Trend Analysis and Reporting

Several FireEye teams work constantly throughout the year analyzing frontline data and researching threat actor activity. The work they undertake is vital to the quality of intelligence we provide. Recently, The Vision caught up with Kimberly Goody (Senior Manager, Threat Intelligence) to learn more about how the Crimeware As A Service chapter in M-Trends 2020 was brought to life.

Behind the scenes

What is your role in compiling the M-Trends report?

On the Financial Crime Team we look at what the actors are doing on victim networks through the incident response data and how they're monetizing these intrusions on forums or marketplaces. My role is to bring these two things together for a full view of the ecosystem for M-Trends.

Who is M-Trends intended for?

M-Trends is for everyone. That might sound cliché, but there is a lot of diversity in the report from higher-level breach trends to new developments illustrated by case studies. I refer to this report frequently throughout the year before briefings and use the graphics in meetings.

How do you collect the data used in the report?

One of the things that I love about working at FireEye is that we have such a variety and scale of data at our disposal. Every day, we analyze information from places such as underground forums and marketplaces, automated collection systems for malware and incident response engagements.

The main question we ask ourselves is, “Where can we add value by marrying our different sources of data together to provide a more complete picture of the story?”

Once we find a topic that's interesting, we go to each of these sources and look for relevant data that we’ve collected throughout the year. Sometimes we have already analyzed the data, so we can build directly on that previous work. For example, one of our interns did a project over the summer looking at the sale of illicit accesses in underground forums that we were able to build on for M-Trends.


How many people are involved in the process and who are they?

Many teams put in a lot of hard work to make this report a reality. To offer some perspective, the articles we wrote would probably not have been possible if it weren’t for the work of our Intelligence Research and Collection, Consulting, Adversary Pursuit, and Managed Defense teams throughout the year. It really is a true team effort.

What is the most challenging aspect about compiling the report?

One of the articles we worked on this year looked at the role of cyber criminal communities in breaches. In this case, we didn’t want to just say, “Here is what happened to a victim.” We wanted to tell the story outside of the victim environment. Who sold the malware to the attacker? What did the attacker do with the stolen data?

While these are questions that we have hopefully answered already throughout the year, it can be a real challenge because actors aren’t using the names you gave them or even the names you gave to their tools. It can be a bit like finding a needle in a haystack.

What do you enjoy most about compiling the report?

M-Trends is a lot of work, but it forces us to look back at what we did over the year. It is easy to lose sight of the bigger picture when you are in the trenches every day. So, I appreciate the opportunity to take a step back and widen my perspective.

M-Trends 2020 contains a host of new information, helping to arm security professionals with details on the latest attacks and threats. Access your copy now.