On March 15, Mandiant hosted an executive briefing over breakfast in New York City. The location in the W Hotel in Downtown NYC overlooked the 9/11 Memorial and the rising One World Trade Center-an arresting view and a unique setting for this event.
Former Secretary of Homeland Security Michael Chertoff kicked off the morning by discussing his perspective on the global threat landscape. He touched on Iran's cyber warfare capabilities in particular. He remarked on recent alleged Iranian attacks against the BBC and said that there is no point in debating the reality of cyber war. If one side believes they are engaged in such a battle, then that is reality-and "Iran clearly believes they are already participants in cyber war." He also noted that Iran's capabilities are already quite advanced. After being hit by Stuxnet, Iran views it as imperative to be prepared to respond in kind.
It is always nice to see someone like Mr. Chertoff connecting the dots so articulately on a technical level. At one point, he commented about how important it was to not just look for malware. Smart responders, he said, need to look for all trace evidence of compromise in order to fully understand the scope of an incident. Coincidentally, this is trend #1 in our recent M-Trends report, and Mr. Chertoff described the problem with a malware-centric approach perfectly.
Richard Bejtlich spoke next and used a role-playing exercise to help the audience understand the challenge of responding to targeted threats. His premise was simple: "Pretend I'm a law enforcement agent who comes to your office and tells you that you are compromised, and that I have your own internal documents as evidence. What do you do next?"
This provoked discussion and the audience started asking questions about the nature of the intrusion and what they should do to respond. As we explored the scenario through Q&A, it became clear that most organizations lack the visibility they need to adequately respond to attacks. What about your organization? If you found out today that you had been the victim of a substantial breach, where would you look first? How would you validate the intrusion? How could you discover the scopeor identify what had been stolen?
Those of you who have attended Mandiant events know that we are pretty light on the product pitches (we often don't mention our products at all). However, we do have a product that helps answer the questions that Richard was posing. Mandiant Intelligent Response has helped hundreds of companies answer the question "Now What??" when they are on the receiving end of the scenario Richard outlined in New York.