πŸ”’
There are new articles available, click to refresh the page.
Before yesterdayThreat Research

Executive Briefing in New York with Former Secretary of Homeland Security Michael Chertoff

2 April 2012 at 22:17

On March 15, Mandiant hosted an executive briefing over breakfast in New York City. The location in the W Hotel in Downtown NYC overlooked the 9/11 Memorial and the rising One World Trade Center-an arresting view and a unique setting for this event.

Former Secretary of Homeland Security Michael Chertoff kicked off the morning by discussing his perspective on the global threat landscape. He touched on Iran's cyber warfare capabilities in particular. He remarked on recent alleged Iranian attacks against the BBC and said that there is no point in debating the reality of cyber war. If one side believes they are engaged in such a battle, then that is reality-and "Iran clearly believes they are already participants in cyber war." He also noted that Iran's capabilities are already quite advanced. After being hit by Stuxnet, Iran views it as imperative to be prepared to respond in kind.

It is always nice to see someone like Mr. Chertoff connecting the dots so articulately on a technical level. At one point, he commented about how important it was to not just look for malware. Smart responders, he said, need to look for all trace evidence of compromise in order to fully understand the scope of an incident. Coincidentally, this is trend #1 in our recent M-Trends report, and Mr. Chertoff described the problem with a malware-centric approach perfectly.

Richard Bejtlich spoke next and used a role-playing exercise to help the audience understand the challenge of responding to targeted threats. His premise was simple: "Pretend I'm a law enforcement agent who comes to your office and tells you that you are compromised, and that I have your own internal documents as evidence. What do you do next?"

This provoked discussion and the audience started asking questions about the nature of the intrusion and what they should do to respond. As we explored the scenario through Q&A, it became clear that most organizations lack the visibility they need to adequately respond to attacks. What about your organization? If you found out today that you had been the victim of a substantial breach, where would you look first? How would you validate the intrusion? How could you discover the scopeor identify what had been stolen?

Those of you who have attended Mandiant events know that we are pretty light on the product pitches (we often don't mention our products at all). However, we do have a product that helps answer the questions that Richard was posing. Mandiant Intelligent Response has helped hundreds of companies answer the question "Now What??" when they are on the receiving end of the scenario Richard outlined in New York.

M-Trends #1: Malware Only Tells Half the Story

14 May 2012 at 20:45

When I joined Mandiant earlier this year, I was given the opportunity to help write our annual M-Trends report. This is the third year Mandiant has published the report, which is a summary of the trends we've observed in our investigations over the last twelve months.

I remember reading Mandiant's first M-Trends report when it came out in 2010 and recall being surprised that Mandiant didn't pull any punches. They talked about the advanced persistent threat or APT (they had been using that term for several years...long before it was considered a cool marketing, buzz word), and they were open about the origin of the attacks. The report summarized what I'd been seeing in industry, and offered useful insights for detection and response. Needless to say, I enjoyed the opportunity to work on the latest version.

In this year's report it details six trends we identified in 2011. We developed the six trends for the report very organically. That is, I spent quite a few days and nights reading all of the reports from our outstanding incident response team and wrote about what we saw-we didn't start with trends and then look for evidence to support them.

If you haven't picked up a copy of the report yet, you can do so here. I will be blogging on each of the six trends over the next two weeks; you can even view the videos we've developed for each trend as each blog post is published:

Malware Only Tells Half the Story.

Of the many systems compromised in each investigation, about half of them were never touched by attacker malware.

In so many cases, the intruders logged into systems and took data from them (or used them as a staging point for exfiltration), but didn't install tools. It is ironic that the very systems that hold the data targeted by an attacker are probably the least likely to have malware installed on them. While finding the malware used in an intrusion is important, it is impossible to understand the full scope of an intrusion if this is the focal point of the investigation. We illustrate actual examples of this in the graphical spread on pages 6-7 of the report.

What does this mean for victim organizations?

You could start by looking for malware, but don't end there! A smart incident response process will seek to fully understand the scope of compromise and find all impacted systems in the environment. This could mean finding the registry entries that identify lateral movement, traces of deleted .rar files in unallocated space, or use of a known compromised account. It turns out that Mandiant has a product that does all of this, but the footnote on page 5 is the only mention you'll see in the entire report (and even that was an afterthought).

Thoughts and questions about this trend or the M-Trends report?

  • There are no more articles
❌