Who is MANDIANT?

Engineers, consultants, authors, instructors & security experts

Chased criminals attacking the Fortune 500, govt. contractors, and multi-national banks

Responded to over 1 million compromised systems in over 60 organizations

Find evil & solve crime through our products & services

2

Services Incident Response

Incident Response Management Malware Analysis Program Development Incident Response Exercises

Computer Forensics Forensic Examination Litigation Support Expert Testimony

Application & Network Security Application & Network Assessments Secure SDLC Product Testing Wireless Assessments Penetration Testing Social Engineering Architecture Design

Research & Development High-Sensitivity Emerging Issues Cutting Edge

3 The threats

• Indiscriminate Internet users

• Spam, worms, etc.

Worms and bots

• Money transfer operations• Retailers / POS• Card issuers• Equipment manufacturers

Data breaches

• Government• Defense Industrial Base• Global organizations• Supporting industries

Advanced Persistent

Threat

4 MIR (Host Interrogations) Made expressly for incident

responders− Based on years of IR

knowledge− Built by experienced system

developers The right forensic features

− Plus real scalability− Equals enterprise IR at speed

Faster, less disruptive, less expensive− Repeatable, more accurate

investigations− Comprehensively evaluate

the environment

Accelerating enterprise IR

Investigate entire infrastructure or just a subset based on your needs. Use MANDIANT provided Indicator of Compromise DB or develop your own.

MIR Controller and Agents deployed pervasively… or only to systems of interest.

Remediation based on a more complete scope of the attack.

Organization postured to re-scan with new IOCs or conduct deep-dive investigations on specific assets.

5

6 NTAP Service (Network Analysis) Identify Intruder Activities in Near Real-Time

− Detect and collect known malicious network traffic− Automatically perform post processing and

decryption (when possible) Describe Attackers Activities and Movement

− Determine intent and process of compromise− Determine and understand intruders targeting and

methodologies− Discover exfiltrated data from encrypted network

streams (when possible) Provide an Actual Damage Assessment of Attackers

Activities

7 What’s an indicator?

AND

File Path: \system32\mtxes.dllFile Name: Ripsvc32.dllService DLL: Ripsvc32.dllPE Time Stamp: 2008/04/04 18:14:25MD5: 88195C3B0B349C4EDBE2AA725D3CF6FF

Registry Path: \Services\Iprip\Parameters\ServiceDllRegistry Text: Ripsvc32.dll

AND

File Size: 50,000 to 90,000

OR

File Name: SPBBCSvc.exeFile Name: hinv32.exeFile Name: vprosvc.exeFile Name: wuser32.exe

OR

8

Washington, DC675 N. Washington StreetSuite 210Alexandria, VA 22324(703) 683-3141

New York24 West 40th 9th FloorNew York, NY 10018

(212) 764-0435

Los Angeles400 Continental BlvdEl Segundo, CA 90245(310) 426-2151