Key Points:
Mandiant is on the front lines of the largest computer security breaches you read in the headlines every day.
Note: The only companies that have publicly stated that they have hired Mandiant for incident response are Evernote, New York Times, Schnucks, WTOP and the State of South Carolina.
Key Points:
Companies routinely perform vulnerability tests to determine if attackers could get through their preventive defenses.
All it takes is reading the headlines to think that might not be the right question.
A better question – maybe the most important question – to ask yourself is “Are You Compromised?” Are the attackers already in your systems.
If you were to boil it down to one question that Mandiant answers this is it: Are you compromised? And what is the material impact of that compromise?”
APT: Is a “who” not a “what” –
Human(s) at a keyboard
Targets selected after research/recon
Highly tailored and customized attacks
Effective at bypassing preventive controls
They are Professional, Organized & Well Funded…
Often well-funded and organized
Division of labor for different stages of attack
Utilize change management processes
Escalate sophistication of tactics as needed
If You Kick Them Out They Will Return
Specific targets mean a desire to return
Long-term occupation one of the goals
Persistence tools ensure ongoing access
Relentlessly focused on objectives over time
Key Points:
All threat actors are not equivalent.
Two types of threat actors that pose the greatest risk to organization are those focused on economic espionage, such as the APT, and those focused on financial gain such as organized crime.
These two threat actors pose unique risks because they are not just targeted but persistent.
They entrench themselves for months or years and when you kick them out they try to come back.
Oftentimes the volume of alerts generated by the nuisance threats makes it hard for organizations to identify the riskiest threats.
229 days before the hacker was known
2,287 days was the longest presence identified in 2013
Ponemon cost of a breach in 2013 study was $188 per record and the average breach was 28,765 records. They eliminated all breaches of greater than 100,000 records for their study.
Mention joint venture and/or acquisitions of Chinese companies
Key Points:
One thing that’s important to understand is that malware is only used at the beginning of the attack and as the attacker moves laterally.
In fact, when you look at all of the compromised machines Mandiant investigated last year only 54% of them had malware on them.
To effectively detect and scope the impact of a threat you need to be able to find all of the evidence of compromise – not just malware.
Defense in Depth will slow the determined attacker, but Logging in Depth provides your Incident Responders the capability to quickly identify and respond to attacks.
BullsEye = logging approach = ESM strategy
Perimeter – ACCEPTS and deny
Host – Need auth, but also ACTIVITY – process creation, cmd line commands, sysmon tool
Application – auth, activity, error codes, transaction logs
Data – File integrity monitoring, AV & Whitelist can provide MD5’s
Value to IR:
Perimeter: match Threat Intel to IP’s and domains of known evil
Host: account / process creation – priv escalate – hash dump
Application – exploit (web logs = SQLi) – web shells, or post exploit Threat Intel – URI’s, Email sender/subjects
Data – access logs from HVA’s – what are they after? Was it successful? Threat Intel = MD5
Prepare – Are the right devices available? Generating the right logs to find evil? Are the logs retained for IR?
Have a plan. Right people authorized, trained, with IR Workplans