The Power of Incident Response Technology

Many cyber incident response (IR) firms are technology agnostic, but Mandiant is different – we can utilize the security technology provided by our clients, as well as leverage FireEye’s technology stack to address limitations. Years of utilizing FireEye technology to increase visibility, speed, and improve the thoroughness of IR services have proven the value of having technology tailored to support response efforts. FireEye technology allows remote cyber incident response investigations to commence within hours, reducing response time, and the time and expense of having ‘boots on the ground’.

To enable rapid and comprehensive investigations, Mandiant incident response teams can deploy a mix of technologies to meet a customer’s investigative needs, and many of these same technologies have defensive capabilities that help protect the environment against additional attacks during the investigation. Mandiant currently uses the following FireEye technologies:

  • Endpoint Security (HX) on-premise appliances or cloud solution provides endpoint visibility. HX provides a combination of investigation, detection, and remediation technologies in a single endpoint agent. Mandiant leverages these capabilities to investigate initial client-provided leads, search the environment for indicators of historical compromise, and monitor real-time events.
  • Network Forensic (PX) on-premise appliances provide full packet capture that allows Mandiant to detect a broad array of security incidents, detect command and control callbacks, and assess information exposure and data theft.
  • FireEye Network Security (NX) on-premise appliances or cloud solutions provide a signature-less Multi-Vector Virtual Execution™ (MVX) engine that provides dynamic analysis and classification of malicious code transferred into an enterprise.
  • Email Security (EX Series) on-premise or cloud solution (provided by FireEye’s ETP solution) detects targeted e-mail attacks. Mandiant utilizes EX to identify ongoing attacks by analyzing email attachments and URLs against a comprehensive cross-matrix of operating systems, applications and web browsers. Mandiant can also prevent phishing emails from reaching the environment by blocking them when the technology is deployed in-line.

In addition to the advantages provided by combining FireEye technology with the client’s existing technology, there are often shortcomings with client-provided technology that FireEye’s technology is intended to address:

  • Endpoint detection and response (EDR) solutions are often not available or have not been fully deployed. Mandiant has found that deployed EDR on an as-needed basis is never the right solution. Tracking an attacker requires visibility into every endpoint to identify evidence of attacker activity wherever it might be found.
  • Traditional IDPS solutions, which are nearly ubiquitous, are effective at identifying early stages of intrusion activity such as scans, exploit attempts, and commodity malware, but are often limited in their ability detect post-exploitation activity such as lateral movement.  
  • SIEM solutions often are not scaled to aggregate all log sources from systems in the environment because it is impracticable. To address this, FireEye’s HX solution can facilitate quick access to server or application logs that reside only on an endpoint. Mandiant’s investigations have also shown that gaps exist in the logs forwarded to the SIEM. In addition, log ingestion and indexing issues can impact the completeness or ability to effectively search the information in a client SIEM.

If you’re still on the fence regarding the power of technology in cyber incident response, consider this recent remote Mandiant cyber incident response investigation. Mandiant was contacted by a multinational organization with tens of thousands of endpoints regarding a suspected breach. Within four hours of a third-party notification being sent to the client, we had deployed FireEye endpoint technology to 18,000 systems and we identified evidence of compromise. Six days later, we completed most of the investigation, including in-depth analysis of 80 endpoints. Eleven days after contacting Mandiant, the client was back to business as usual.

The benefits of technology in incident response are compelling. Visit our website to learn more about cyber incident response best practices and offerings.