This document discusses Mandiant's incident response methodology and technology. It covers their evolution of incident response approaches over time from disk forensics to memory forensics to live response. Mandiant's current approach involves hunting across endpoints and networks using indicators of compromise to identify compromised systems. They deploy network and host sensors to gain visibility and conduct deep analysis using tools like Mandiant Incident Response and Network Traffic Analysis Platform. The document also outlines Mandiant's incident response services and how they help organizations understand risk, identify compromises, and prepare for future incidents.
Key Points:
There are 7 major phases to a targeted attack.
1. The initial compromise typically begins with a victim clicking on a link or attachment in a spear phishing e-mail.
2. After the initial compromise the attacker creates back doors and establishes a foothold in the environment.
3. Very quickly the attacker steals valid credentials. At this point they blend in and it’s difficult to tell them apart from legitimate users.
4. Now the attacker begins to survey the network to identify the data they are trying to steal.
5. As they perform reconnaissance, they move laterally to other parts of the network in search of their target data.
6. As they move laterally they deploy additional backdoors and persistence mechanisms
7. Once they have identified their target data they package it up and steal it.
I mentioned before that the attackers’ objectives are long-term occupation.
The typical organization Mandiant responded to in the last year had been compromised an average of 229 days.
In 1984 the FBI launched a Computer Analysis and Response
In 1987 FTK founded
in 1997 Guidance founded
In 1998 EnCase launched
In 2004, Michael Ford introduced memory forensics into security investigations with an article in SysAdmin Magazine.
In 2005, DFRWS issued a Memory Analysis Forensics Challenge.
Talk about scoping, DO NOT TALK ABOUT SYSTEMS WITH TOOLS, BACKDOORS, ACCESSED ETC NOT BEING THE SAME.
Talk about scoping, DO NOT TALK ABOUT SYSTEMS WITH TOOLS, BACKDOORS, ACCESSED ETC NOT BEING THE SAME.
May not find everything
Will find more
This slide represents the incident response and preparedness cycle. It captures our core mission and summarizes everything Mandiant consulting does by mapping it against the different phases and stages our clients go through. It highlights the completeness of our portfolio while showing how everything we do ties back to our core capabilities around IR. It highlights how organization continuously need to ask them selves questions such as Am I prepared? Am I compromised as the threat landscape continues to evolve. Given this rapidly evolving threat landscape, organizations require a trusted party to assist with the different stages of the IR and preparedness cycle.
We provide organizations peace of mind in helping them protect their most critical assets, reducing cost in case of an incident and reducing risk of a future incident. We provide them with a deep understanding of attacker behavior, exceptional visibility in the rapidly evolving threat landscape and the technology to respond and defend with speed, scale, and efficiency.
Answers the question – “am I compromised?” Grants companies access to Mandiant’s premier investigative consultants and FireEye’s technology and intelligence. Organizations should ideally have a compromise assessment performed on their environment yearly. Some companies choose to have compromise assessments performed on all companies they acquire or merge with prior to connecting the environments. Other companies choose to have a compromise assessment performed because a breach in their business sector (i.e. government, retail, financial, healthcare, mining, etc) made headlines. Companies naturally want to be proactive in detecting and remediating issues in their environment – compromise assessments help them be proactive.
A compromise assessment can be though of as a light incident investigation – the tools, intelligence, and many of the tactics are the same. We deploy the same tools and technology as we normally would deploy but we deploy in an environment that which we have no prior knowledge of if they are actually compromise. We then start searching the environment for host and network indicators of compromise: the re-use of custom malware, C2 protocols, stolen certificates, persistence mechanisms, evidence of lateral movement or credential misuse, etc.
In the event malicious activity is discovered we smoothly transition into a full Incident Response.
Key Deliverables
Executive and technical outbrief presentations, activity reports for both network and endpoint, and a summary of the findings. Peace of mind for the board, executive team, and internal security or audit team.
Iterative analysis
Each piece feeds into all of the others