Compromise Assessment Datasheet
Mandiant’s Compromise Assessment service helps organizations evaluate if they have been compromised by advanced attack groups and if attackers are currently active in their environment
Mandiant’s Compromise Assessment is a unique service that allows organizations to evaluate their networks for the presence of advanced attack group activity. The Compromise Assessment has helped organizations identify and address issues that, in some cases, had existed for years and resulted in the theft of valuable intellectual property.
The Mandiant Difference
Technical & investigative skills developed over the course of hundreds of investigations.
Profles of key attack groups including their tools, practices and objectives along with corresponding Indicators of Compromise.
Proprietary tools that automate investigative tasks and enable network traffc and host-based artifacts to be rapidly evaluated—even across networks that contain hundreds of thousands of systems.
Experience providing guidance and advice on the business impact of computer security decisions.
Dedicated malware team
A team focused solely on reverse engineering malicious software and researching the latest exploits.
Designed to Identify Targeted Attacks
Over the past several years, advanced attack groups—often backed by organized crime syndicates and nation states—have targeted government and private sector organizations. These advanced attackers seek to remain undetected so that they can steal data over an extended period of time. They develop custom malware and use tactics that can often be diffcult to detect using conventional approaches.
Evidence of Attack Groups
Mandiant uses experience gained over hundreds of investigations when assessing networks for the presence of various indicators of compromise including:
Re-used custom malware: Custom malware is often developed at great expense to the attack group. Consequently, they prefer to reuse it—or variants that have similar characteristics. Attack groups can oftentimes be discovered by identifying malware analyzed during prior investigations.
Persistence mechanisms: A number of techniques can be used to establish persistence in a system. Windows registry entries can store malware execution parameters, malware can be placed in the Start Up folder and legitimate system binaries can be trojanized. Knowing what attack groups commonly do allows Mandiant to look for instances of those persistence mechanisms.
Lateral movement techniques: Most advanced attack groups obtain valid privileged credentials and use them to assess the environment. Knowing how they obtain those credentials and what tools they use to access other systems enables Mandiant to search for log and forensic evidence that is indicative of that attacker activity.
The Compromise Assessment couples Mandiant’s specialized knowledge of advanced attackers’ tools, techniques and practices with Mandiant’s proprietary technology to determine if attackers are currently in the environment or have been active in the past. The major activities Mandiant performs during a Compromise Assessment are:
Deploying network- & host-based inspection technology
Proprietary technology is deployed at Internet egress points and on host systems such as servers, workstations and laptops.
Assessing environment using intelligence from prior investigations
Mandiant has developed a detailed library of Indicators of Compromise (IOCs) that utilize host-based artifacts and network traffic signatures to identify the presence of attackers. Mandiant consultants apply these IOCs to evaluate network traffic, servers, workstations and laptops within the network for evidence of current and past attacker activity.
Assessing the environment for anomalies
Mandiant uses its knowledge of attack groups and their tendencies to assess hosts and network traffic for evidence of attacker activity. In this phase the focus is on “edge analysis”—systems or traffic that have different attributes than are typically seen in the environment.
When Mandiant identifies Indicators of Compromise or anomalies, consultants draw on skills that range from forensic imaging to malware and log analysis. Mandiant performs these activities to confirm the finding reflects malicious activity or to determine the finding is a false positive.
At the conclusion of the Compromise Assessment, Mandiant provides a detailed report that summarizes the steps taken during the assessment, the major findings and recommendations for next steps—if appropriate.
Mandiant’s Compromise Assessment have identifed targeted intrusions within highly challenging environments and in situations where attackers had gone undetected for months.
- Law enforcement informed a law frm that they were the target of an advanced attack group. Because this information was obtained during a classifed investigation no information could be shared with the law firm.
- Mandiant used its proprietary technology to evaluate all Windows systems in the environment. It found one system contained malware developed by an advanced attack group that Mandiant had seen in a prior investigation.
- Malware analysis led to the identifcation of IP addresses being used by the malware. Subsequent firewall log analysis led to the identifcation of a dozen systems communicating with those IP addresses.
- The Compromise Assessment became an incident response investigation. By the end of the investigation it was determined that the attacker had been in the environment for at least two years had compromised more than thirty systems and had been stealing all email from several senior partners throughout the entire time period.