who is mandiant?
DESCRIPTION
Who is MANDIANT?. Engineers, consultants, authors, instructors & security experts Chased criminals attacking the Fortune 500, govt. contractors, and multi-national banks Responded to over 1 million compromised systems in over 60 organizations - PowerPoint PPT PresentationTRANSCRIPT
Who is MANDIANT?
Engineers, consultants, authors, instructors & security experts
Chased criminals attacking the Fortune 500, govt. contractors, and multi-national banks
Responded to over 1 million compromised systems in over 60 organizations
Find evil & solve crime through our products & services
2
Services Incident Response
Incident Response Management Malware Analysis Program Development Incident Response Exercises
Computer Forensics Forensic Examination Litigation Support Expert Testimony
Application & Network Security Application & Network Assessments Secure SDLC Product Testing Wireless Assessments Penetration Testing Social Engineering Architecture Design
Research & Development High-Sensitivity Emerging Issues Cutting Edge
3 The threats
• Indiscriminate Internet users
• Spam, worms, etc.
Worms and bots
• Money transfer operations• Retailers / POS• Card issuers• Equipment manufacturers
Data breaches
• Government• Defense Industrial Base• Global organizations• Supporting industries
Advanced Persistent
Threat
4 MIR (Host Interrogations) Made expressly for incident
responders− Based on years of IR
knowledge− Built by experienced system
developers The right forensic features
− Plus real scalability− Equals enterprise IR at speed
Faster, less disruptive, less expensive− Repeatable, more accurate
investigations− Comprehensively evaluate
the environment
Accelerating enterprise IR
Investigate entire infrastructure or just a subset based on your needs. Use MANDIANT provided Indicator of Compromise DB or develop your own.
MIR Controller and Agents deployed pervasively… or only to systems of interest.
Remediation based on a more complete scope of the attack.
Organization postured to re-scan with new IOCs or conduct deep-dive investigations on specific assets.
5
6 NTAP Service (Network Analysis) Identify Intruder Activities in Near Real-Time
− Detect and collect known malicious network traffic− Automatically perform post processing and
decryption (when possible) Describe Attackers Activities and Movement
− Determine intent and process of compromise− Determine and understand intruders targeting and
methodologies− Discover exfiltrated data from encrypted network
streams (when possible) Provide an Actual Damage Assessment of Attackers
Activities
7 What’s an indicator?
AND
File Path: \system32\mtxes.dllFile Name: Ripsvc32.dllService DLL: Ripsvc32.dllPE Time Stamp: 2008/04/04 18:14:25MD5: 88195C3B0B349C4EDBE2AA725D3CF6FF
Registry Path: \Services\Iprip\Parameters\ServiceDllRegistry Text: Ripsvc32.dll
AND
File Size: 50,000 to 90,000
OR
File Name: SPBBCSvc.exeFile Name: hinv32.exeFile Name: vprosvc.exeFile Name: wuser32.exe
OR
8
Washington, DC675 N. Washington StreetSuite 210Alexandria, VA 22324(703) 683-3141
New York24 West 40th 9th FloorNew York, NY 10018
(212) 764-0435
Los Angeles400 Continental BlvdEl Segundo, CA 90245(310) 426-2151