Transcript Mandiant - The Security Network

Who is MANDIANT?
 Engineers, consultants,
authors, instructors & security
experts
 Chased criminals attacking
the Fortune 500, govt.
contractors, and multinational banks
 Responded to over 1 million
compromised systems in over
60 organizations
 Find evil & solve crime
through our products &
services
Services

Incident Response





Computer Forensics




Forensic Examination
Litigation Support
Expert Testimony
Application & Network Security








Incident Response Management
Malware Analysis
Program Development
Incident Response Exercises
Application & Network Assessments
Secure SDLC
Product Testing
Wireless Assessments
Penetration Testing
Social Engineering
Architecture Design
Research & Development



High-Sensitivity
Emerging Issues
Cutting Edge
2
3
The threats
4
MIR (Host Interrogations)

Made expressly for incident
responders
−
−

The right forensic features
−
−

Based on years of IR
knowledge
Built by experienced system
developers
Plus real scalability
Equals enterprise IR at speed
Faster, less disruptive, less
expensive
−
Repeatable, more accurate
investigations
− Comprehensively evaluate
the environment
5
Accelerating enterprise IR
MIR Controller and Agents
deployed pervasively… or
only to systems of interest.
Investigate entire
infrastructure or just a subset
based on your needs. Use
MANDIANT provided
Indicator of Compromise DB
or develop your own.
Remediation based on a more
complete scope of the attack.
Organization postured to re-scan
with new IOCs or conduct deepdive investigations on specific
assets.
6
NTAP Service (Network Analysis)

Identify Intruder Activities in Near Real-Time
− Detect and collect known malicious network
traffic
− Automatically perform post processing and
decryption (when possible)
 Describe Attackers Activities and Movement
− Determine intent and process of compromise
− Determine and understand intruders targeting
and methodologies
− Discover exfiltrated data from encrypted network
streams (when possible)
 Provide an Actual Damage Assessment of
Attackers Activities
7
What’s an indicator?
File Path: \system32\mtxes.dll
File Name: Ripsvc32.dll
Service DLL: Ripsvc32.dll
OR
PE Time Stamp: 2008/04/04 18:14:25
MD5: 88195C3B0B349C4EDBE2AA725D3CF6FF
Registry Path: \Services\Iprip\Parameters\ServiceDll
AND
Registry Text: Ripsvc32.dll
File Name: SPBBCSvc.exe
OR
AND
File Name: hinv32.exe
File Name: vprosvc.exe
File Name: wuser32.exe
File Size: 50,000 to 90,000
8
 Washington, DC
675 N. Washington Street
Suite 210
Alexandria, VA 22324
(703) 683-3141
 New York
24 West 40th
9th Floor
New York, NY 10018
(212) 764-0435
 Los Angeles
400 Continental Blvd
El Segundo, CA 90245
(310) 426-2151