The First to Know…Learn the Internal Signs of a Compromise

Two-thirds of organisations get notified about a breach from an external source – they don’t discover it themselves. So how do you ensure you know before others?
Through a mixture of techniques and highly skilled people who can analyse data and correlate an attack, especially if an APT is targeting your organisation. Mandiant has a healthy repository of Indicators Of Compromises (IOC) built from our experience investigating some of the biggest breaches, which gives us a proven methodology to advise on the internal signs of compromise. Ideally, all organisations should see these signs before others do -- i.e., before we see it in the public or on WikiLeaks.
In the last 15 years, we’ve made great advancements in forensics and the tools and techniques looking for evidence of systems compromise. However, to really keep up pace with today’s organisational needs, we have to perform rapid response forensics at scale, while sweeping for indicators of compromise. This can be done with some high-level Mandiant threat hunting methodologies and unique consultant techniques.
A compromise assessment is one way to identify an internal attack. We deploy network and host inspection technology; proprietary software and hardware designed by consultants for work in the field. We then assess the environment using intelligence from prior investigations. Mandiant’s library of Indicators of Compromise (IOC) looks for tools used by threat actors and the techniques they use to gain access and maintain persistence. We apply these IOCs to evaluate network traffic, servers, workstations and laptops within a network for evidence of current and past attacker activity. We use our knowledge of attack groups and their tendencies to assess hosts and network traffic for evidence of the attacker activity, and we analyse the IOCs. Forensics, malware and log analysis skills enable us to identify any evidence of compromise, which means organisations can be the first to find out if they’ve been attacked.
Many companies are confident their antivirus technology will alert them to this type of endpoint protection. We know from experience that the more sophisticated an attack group is, the less likely it is that commodity tools will prevent their access or progression through an enterprise’s network. Whether a company is improving its security controls, adding a new data center, or merging with another network, there is always room for doubt about active breaches or signs of compromise. A compromise assessment ranges in length and complexity, but provides peace of mind. The top APT adversaries require a top-notch investigation.

We recently presented a webinar on this topic, which is available here.