Experience Responding to Enterprise-Wide Incidents
Computer security incident response is Mandiant’s primary focus and expertise. Since 2004, Mandiant has performed hundreds of incident response investigations across all industries, organization sizes and technical environments.
Overview of Services
Mandiant specializes in investigating large-scale intrusions performed by the most advanced threat groups. Mandiant uses the intelligence gathered during each investigation to improve its consultants’ ability to identify the actions of the attacker, the scope of the compromise, the data loss, the steps required to remove the attacker and the approach required to re-secure the network. Mandiant’s consultants have performed investigations of:
Sensitive data theft from virtually every industry including biotech companies, software companies, defense contractors, national research labs, manufacturing companies, law firms, think tanks and multinational corporations.
Payment card fraud, illicit ACH/EFT cash transfers and ATM cash draw-downs at merchants, payment processors and financial institutions.
Systems used by employees, board members and other insiders suspected of inappropriate or unlawful activity.
Mandiant is focused on helping organizations recover from computer security events while minimizing the impact of the event on the organization. The major activities Mandiant performs during an investigation are:
Assessing The Situation
Each investigation begins by gaining an understanding of the current situation. How was the issue detected? What data has been collected? What steps have been taken? What does the environment look like?
Verifying Client Objectives
The next step is to define objectives that are practical and achievable. The goal may be to identify data loss, recover from the event, determine the attack vector, identify the attacker - or some combination of those objectives.
Mandiant consultants collect information with forensically sound procedures and document evidence handling with chain-of-custody procedures that are consistent with law enforcement standards.
Based on the evidence that is available and the client’s objectives Mandiant draws on skills that range from forensic imaging to malware and log analysis to determine the attack vector, establish a timeline of activity and identify the extent of the compromise.
Providing Management Direction
Mandiant believes that proper management of an investigation is just as important as the technical and investigative skills brought to bear during an incident. During each investigation Mandiant works closely with client management to provide detailed, structured and frequent status reports that communicate findings and equip its clients to make the right business decisions.
Developing Remediation Plans:
Effective countermeasures and remediation plans are best developed in parallel with an investigation. Remediation plans vary depending on the extent of the compromise, the size of the organization and the tactics/objectives of the attacker. As part of an investigation Mandiant delivers a comprehensive remediation plan and assists with the implementation.
Developing Investigative Reporting
Mandiant places great emphasis on tracking and documenting all findings throughout an investigation. Mandiant provides a detailed investigative report at the end of every engagement that addresses the needs of multiple audiences including senior management, technical staff, third party regulators, insurers and litigators.