mandiant in action

©2019 FireEye | Private & Confidential

T A L E S F R O M T H E T R E N C H E S

©2019 FireEye


Breaches are inevitable, which is why it’s important to have a plan in place to act quickly and minimize the damage. Customers often rely on FireEye Mandiant industry-leading incident response expertise to quickly identify malicious activity and effectively respond.

In this example, Mandiant was engaged by a government sector client to investigate a suspected breach, where previous attempts to remove the threat were unsuccessful.

Even the most experienced security teams need help to effectively remove a determined attacker. Mandiant experts spend 100,000+ hours a year on the most impactful breaches, using a number of techniques to analyze relevant network, host and forensic data. For this engagement example, the team effectively performed:• Host Analysis • Forensic Analysis• Network Analysis

Working directly with the client’s security operations center, the Mandiant team effectively contained and eradicated the threat and was able to increase the security posture of the client’s environment in the process.

WannaMine My BusinessM A N D I A N T I N A C T I O N

PROBLEM:A need to quickly eradicate a suspected breach, detected as a result of beaconing and suspicious host-based activity.

HOW WE DID IT: The Mandiant team performed a detailed investigation to determine the full scope of the intrusion, secure the environment and remove the attacker.

HOW WE DID IT BETTER: Mandiant Consultants leveraged FireEye Threat Intelligence, technology, processes and expertise to successfully identify the critical path used by attackers to gain access and close gaps in security.

RESULT: The Mandiant team was able to gain a thorough understanding of the threat actors and malicious activity that occurred. This facilitated removal of the threat and effectively increased the security posture of the client’s environment. The possibility of a future, similar security event was also effectively mitigated.

1



©2019 FireEye


The FireEye Mandiant team spend 100,000+ hours per year working on the most impactful breaches. Here’s a high level walk through of

what this 8 week engagement looked like:

WannaMine My BusinessE r a d i c a t i n g t h e T h r e a t

• Attacker identified and contained

Initial Engagement

Setup secure collaboration space.

Performed signature and methodology sweeps focused on APT and targeted malware.

Collaborated with FireEye Threat Intelligence team to

link attacker activity.

Documented activity for lOC development.

Engaged FireEye labs reverse engineering

team to examine malware.

Performed analysis and live response, auditing memory, processes, metadata

(shim cache, amcache, WMI, prefetch), registry, logs in addition to

network, services, task and web history.

Provided client with report and brief, including

executive summary, charts, graphs, recommendations

and metrics related to scope and impact of the

event.

Determined critical path and provided client attacker

methodology with timeline.

Week 8



©2019 FireEye


WannaMine My BusinessF U L L S T O R Y

3

FireEye Mandiant was recently engaged by a government sector client to investigate a suspected breach, where at least one instance of WannaMine, cryptocurrency malware was discovered running as an admin on the client network.

The affected system was discovered when the client observed it beaconing with suspicious host-based activity. Although attempts were made by the client to remove the threat, they were unsuccessful.

Upon engagement, FireEye Endpoint and Network technology was deployed to help facilitate the investigation. Staff with complementary skill sets was selected to provide broad incident response support.

The Mandiant Incident Response team worked with the client’s Security Operations Center (SOC) to analyze, investigate and assist with remediation efforts.

During the engagement, status meetings were held along with weekly reports that included accomplishments, investigation details and remediation steps taken to date. Any outstanding requests, action items or issues were identified and addressed.

To remove the threat, the Mandiant team:• Performed signature and methodology sweeps

focused on Advanced Persistent Threats (APT) and targeted malware.

• Examined System artifacts known to be associated with nation state threats.

• Codified Indicators of Compromise (IOCs) with data collected from other assessments and advanced FireEye Threat Intelligence.

• Developed new IOC’s from observed attacker activity and analysis of host sweeps.

• Repeated the activity until sweeps no longer revealed new findings.

Results: The Mandiant team worked with the client to achieve containment and eradication of the threat, as well as gain a thorough understanding of threat actors and malicious activity that occurred.

By implementing the recommendations and corrective actions provided by Mandiant, the client effectively increased the security posture of their environment, mitigating the possibility of a similar, future incident.

During this eight week engagement, Mandiant effectively accomplished the following:

• Leveraged FireEye Threat Intelligence, technology, processes, and expertise to successfully identify the critical attack path used by attackers to gain access.

• Attributed the threat actors to a single group based on relevant characteristics of APT groups, data returned from IOC sweeps, intelligence of activity observed and knowledge of associated campaigns.

• Identified Patient zero, to be a web server with a known input validation vulnerability that exists in the WebLogic Security Service (WLS Security).

• Developed countermeasures and close security gaps to effectively eradicate and defend against what was determined to be a Bitcoin Minor.

• Briefed the customer on lessons learned.

mandiant in action

Documents