COMPROMISE ASSESSMENT MANDIANT’S COMPROMISE ASSESSMENT SERVICE HELPS ORGANIZATIONS EVALUATE IF THEY HAVE BEEN COMPROMISED BY ADVANCED ATTACK GROUPS AND IF ATTACKERS ARE CURRENTLY ACTIVE IN THEIR ENVIRONMENT. OV E R V I E W Mandiant’s Compromise Assessment is a unique service that allows organizations to evaluate their networks for the presence of advanced attack group activity. The Compromise Assessment has helped organizations identify and address issues that, in some cases, had existed for years and resulted in the theft of valuable intellectual property. THE MANDIANT DIFFERENCE • Investigative skills - Technical & investigative skills developed over the Designed to identify targeted attacks Over the past several years, advanced attack groups — often backed by organized crime syndicates and nation states — have targeted government and private sector organizations. These advanced attackers seek to remain undetected so that they can steal data over an extended period of time. They develop custom malware and use tactics that can often be difficult to detect using conventional approaches. course of hundreds of investigations. • Threat intelligence - Profiles of key attack groups including their tools, practices and objectives along with corresponding Indicators of Compromise. • Technology - Proprietary tools that automate investigative tasks and enable network traffic and host-based artifacts to be rapidly evaluated — even across networks that contain hundreds of thousands of systems. Deploy Persistence Mechanisms MA INTAIN P RESE NCE MOVE LATE RALLY I N I T I A L C O M PR O MI SE EST AB LISH FOOTH OLD ESCA LA TE P RIVILEGES INTE RNAL RE CON Gain Initial Access into Target Strengthen Position within Target Steal Valid User Credentials Identify Target Data Access Other Servers and Files COMPLE TE MISSION • Management experience - Experience providing guidance and advice on the business impact of computer security decisions. • Dedicated malware team - A team focused solely on reverse engineering malicious Package and Steal Target Data Example: lifecycle of a targeted attack Evidence of attack groups Mandiant uses experience gained over hundreds of investigations when assessing networks for the presence of various indicators of compromise including: Re-used custom malware: Custom malware is often developed at great expense to the attack group. Consequently, they prefer to reuse it — or variants that have similar characteristics. Attack groups can oftentimes be discovered by identifying malware analyzed during prior investigations. DATA S H E E T software and researching the latest exploits. AFFILIATIONS AND CE RTIFICATION Persistence mechanisms: A number of techniques can be used to establish persistence in a system. Windows registry entries can store malware execution parameters, malware can be placed in the Start Up folder and legitimate system binaries can be trojanized. Knowing what attack groups commonly do allows Mandiant to look for instances of those persistence mechanisms. UNIQUE EXPERIENCE Mandiant’s Compromise Assessment have identified targeted intrusions within highly challenging environments and in situations where Lateral movement techniques: Most advanced attack groups obtain valid privileged credentials and use them to assess the environment. Knowing how they obtain those credentials and what tools they use to access other systems enables Mandiant to search for log and forensic evidence that is indicative of that attacker activity. attackers had gone undetected for months. Case study • Law enforcement informed a law firm that they were the target of an advanced attack Our approach group. Because this information was obtained The Compromise Assessment couples Mandiant’s specialized knowledge of advanced attackers’ tools, techniques and practices with Mandiant’s proprietary technology to determine if attackers are currently in the environment or have been active in the past. The major activities Mandiant performs during a Compromise Assessment are: during a classified investigation no information could be shared with the law firm. • Mandiant used its proprietary technology to evaluate all Windows systems in the environment. It found one system contained malware developed by an advanced attack group that Mandiant had seen in a prior investigation. Deploying network- & host-based inspection technology Proprietary technology is deployed at Internet egress points and on host systems such as servers, workstations and laptops. Assessing environment using intelligence from prior investigations Mandiant has developed a detailed library of Indicators of Compromise (IOCs) that utilize host-based artifacts and network traffic signatures to identify the presence of attackers. Mandiant consultants apply these IOCs to evaluate network traffic, servers, workstations and laptops within the network for evidence of current and past attacker activity. • Malware analysis led to the identification of IP addresses being used by the malware. Subsequent firewall log analysis led to the identification of a dozen systems communicating with those IP addresses. • The Compromise Assessment became an incident response investigation. By the end of the investigation it was determined that Assessing the environment for anomalies Mandiant uses its knowledge of attack groups and their tendencies to assess hosts and network traffic for evidence of attacker activity. In this phase the focus is on “edge analysis” — systems or traffic that have different attributes than are typically seen in the environment. the attacker had been in the environment for at least two years, had compromised more than thirty systems and had been stealing all email from several senior partners Analyzing evidence When Mandiant identifies Indicators of Compromise or anomalies, consultants draw on skills that range from forensic imaging to malware and log analysis. Mandiant performs these activities to confirm the finding reflects malicious activity or to determine the finding is a false positive. Summarizing findings At the conclusion of the Compromise Assessment, Mandiant provides a detailed report that summarizes the steps taken during the assessment, the major findings and recommendations for next steps — if appropriate. For more information on FireEye, visit: www.FireEye.com FireEye, Inc. 1440 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 / 877.FIREEYE (347.3393) / [email protected] www.FireEye.com © 2017 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. DS.CA.EN-US.012017 throughout the entire time period.
© Copyright 2024 Paperzz