COMPROMISE ASSESSMENT
MANDIANT’S COMPROMISE ASSESSMENT SERVICE HELPS ORGANIZATIONS
EVALUATE IF THEY HAVE BEEN COMPROMISED BY ADVANCED ATTACK GROUPS
AND IF ATTACKERS ARE CURRENTLY ACTIVE IN THEIR ENVIRONMENT.
OV E R V I E W
Mandiant’s Compromise Assessment is a unique service that allows organizations
to evaluate their networks for the presence of advanced attack group activity. The
Compromise Assessment has helped organizations identify and address issues
that, in some cases, had existed for years and resulted in the theft of valuable
intellectual property.
THE MANDIANT DIFFERENCE
• Investigative skills - Technical &
investigative skills developed over the
Designed to identify targeted attacks
Over the past several years, advanced attack groups — often backed by organized
crime syndicates and nation states — have targeted government and private sector
organizations. These advanced attackers seek to remain undetected so that they
can steal data over an extended period of time. They develop custom malware and
use tactics that can often be difficult to detect using conventional approaches.
course of hundreds of investigations.
• Threat intelligence - Profiles of key attack
groups including their tools, practices
and objectives along with corresponding
Indicators of Compromise.
• Technology - Proprietary tools that automate
investigative tasks and enable network
traffic and host-based artifacts to be rapidly
evaluated — even across networks that
contain hundreds of thousands of systems.
Deploy
Persistence
Mechanisms
MA INTAIN
P RESE NCE
MOVE
LATE RALLY
I N I T I A L C O M PR O MI SE
EST AB LISH FOOTH OLD
ESCA LA TE P RIVILEGES
INTE RNAL RE CON
Gain Initial Access
into Target
Strengthen Position
within Target
Steal Valid User
Credentials
Identify
Target Data
Access
Other
Servers
and Files
COMPLE TE MISSION
• Management experience - Experience
providing guidance and advice on the business
impact of computer security decisions.
• Dedicated malware team - A team focused
solely on reverse engineering malicious
Package and Steal
Target Data
Example: lifecycle of a targeted attack
Evidence of attack groups
Mandiant uses experience gained over hundreds of investigations when assessing
networks for the presence of various indicators of compromise including:
Re-used custom malware: Custom malware is often developed at great expense
to the attack group. Consequently, they prefer to reuse it — or variants that have
similar characteristics. Attack groups can oftentimes be discovered by identifying
malware analyzed during prior investigations.
DATA S H E E T
software and researching the latest exploits.
AFFILIATIONS AND CE RTIFICATION
Persistence mechanisms: A number of techniques can be used to establish
persistence in a system. Windows registry entries can store malware execution
parameters, malware can be placed in the Start Up folder and legitimate system
binaries can be trojanized. Knowing what attack groups commonly do allows
Mandiant to look for instances of those persistence mechanisms.
UNIQUE EXPERIENCE
Mandiant’s Compromise Assessment have
identified targeted intrusions within highly
challenging environments and in situations where
Lateral movement techniques: Most advanced attack groups obtain valid privileged
credentials and use them to assess the environment. Knowing how they obtain those
credentials and what tools they use to access other systems enables Mandiant to
search for log and forensic evidence that is indicative of that attacker activity.
attackers had gone undetected for months.
Case study
• Law enforcement informed a law firm that
they were the target of an advanced attack
Our approach
group. Because this information was obtained
The Compromise Assessment couples Mandiant’s specialized knowledge of advanced
attackers’ tools, techniques and practices with Mandiant’s proprietary technology to
determine if attackers are currently in the environment or have been active in the past.
The major activities Mandiant performs during a Compromise Assessment are:
during a classified investigation no information
could be shared with the law firm.
• Mandiant used its proprietary technology
to evaluate all Windows systems in
the environment. It found one system
contained malware developed by an
advanced attack group that Mandiant had
seen in a prior investigation.
Deploying network- & host-based inspection technology
Proprietary technology is deployed at Internet egress points and on host systems such as
servers, workstations and laptops.
Assessing environment using intelligence from prior investigations
Mandiant has developed a detailed library of Indicators of Compromise (IOCs) that utilize
host-based artifacts and network traffic signatures to identify the presence of attackers.
Mandiant consultants apply these IOCs to evaluate network traffic, servers, workstations
and laptops within the network for evidence of current and past attacker activity.
• Malware analysis led to the identification of
IP addresses being used by the malware.
Subsequent firewall log analysis led to
the identification of a dozen systems
communicating with those IP addresses.
• The Compromise Assessment became an
incident response investigation. By the end
of the investigation it was determined that
Assessing the environment for anomalies
Mandiant uses its knowledge of attack groups and their tendencies to assess hosts and
network traffic for evidence of attacker activity. In this phase the focus is on “edge analysis” —
systems or traffic that have different attributes than are typically seen in the environment.
the attacker had been in the environment for
at least two years, had compromised more
than thirty systems and had been stealing
all email from several senior partners
Analyzing evidence
When Mandiant identifies Indicators of Compromise or anomalies, consultants draw on
skills that range from forensic imaging to malware and log analysis. Mandiant performs
these activities to confirm the finding reflects malicious activity or to determine the finding is a false positive.
Summarizing findings
At the conclusion of the Compromise Assessment, Mandiant provides a detailed report that
summarizes the steps taken during the assessment, the major findings and recommendations
for next steps — if appropriate.
For more information on FireEye, visit:
www.FireEye.com
FireEye, Inc.
1440 McCarthy Blvd. Milpitas, CA 95035
408.321.6300 / 877.FIREEYE (347.3393) / [email protected]
www.FireEye.com
© 2017 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc.
All other brands, products, or service names are or may be trademarks or service marks
of their respective owners. DS.CA.EN-US.012017
throughout the entire time period.