Mandiant® - Detect. Respond. Contain.

Incident Response

Experience Responding to Enterprise-Wide Incidents

Computer security incident response is Mandiant’s primary focus and expertise. Since 2004, Mandiant has performed hundreds of incident response investigations across all industries, organization sizes and technical environments.

Overview of Services

Unique Experience

Mandiant specializes in investigating large-scale intrusions performed by the most advanced threat groups. Mandiant uses the intelligence gathered during each investigation to improve its consultants’ ability to identify the actions of the attacker, the scope of the compromise, the data loss, the steps required to remove the attacker and the approach required to re-secure the network. Mandiant’s consultants have performed investigations of:

State-Sponsored Attacks

Sensitive data theft from virtually every industry including biotech companies, software companies, defense contractors, national research labs, manufacturing companies, law firms, think tanks and multinational corporations.

Financial Crime

Payment card fraud, illicit ACH/EFT cash transfers and ATM cash draw-downs at merchants, payment processors and financial institutions.

Insider Threats

Systems used by employees, board members and other insiders suspected of inappropriate or unlawful activity.

Advanced Technology

Mandiant has developed and maintains profiles of key attack groups including their tools, practices and objectives. By utilizing proprietary network traffic analysis and host inspection tools Mandiant consultants automate typical investigative tasks and leverage the intelligence Mandiant has generated during past investigations. This allows Mandiant consultants to investigate large-scale network intrusions more quickly and completely than is possible when traditional investigative techniques are used.

Mandiant's Approach

Mandiant is focused on helping organizations recover from computer security events while minimizing the impact of the event on the organization. The major activities Mandiant performs during an investigation are:

Assessing the Situation

Each investigation begins by gaining an understanding of the current situation. How was the issue detected? What data has been collected? What steps have been taken? What does the environment look like?

Verifying Client Objectives

The next step is to define objectives that are practical and achievable. The goal may be to identify data loss, recover from the event, determine the attack vector, identify the attacker - or some combination of those objectives.

Collecting Evidence

Mandiant consultants collect information with forensically sound procedures and document evidence handling with chain-of-custody procedures that are consistent with law enforcement standards.

Performing Analysis

Based on the evidence that is available and the client’s objectives Mandiant draws on skills that range from forensic imaging to malware and log analysis to determine the attack vector, establish a timeline of activity and identify the extent of the compromise.

Providing Management Direction

Mandiant believes that proper management of an investigation is just as important as the technical and investigative skills brought to bear during an incident. During each investigation Mandiant works closely with client management to provide detailed, structured and frequent status reports that communicate findings and equip its clients to make the right business decisions.

Developing Remediation Plans

Developing Remediation Plans:

Effective countermeasures and remediation plans are best developed in parallel with an investigation. Remediation plans vary depending on the extent of the compromise, the size of the organization and the tactics/objectives of the attacker. As part of an investigation Mandiant delivers a comprehensive remediation plan and assists with the implementation.

Developing Investigative Reporting

Mandiant places great emphasis on tracking and documenting all findings throughout an investigation. Mandiant provides a detailed investigative report at the end of every engagement that addresses the needs of multiple audiences including senior management, technical staff, third party regulators, insurers and litigators.

For Immediate Assistance
Related Items
Professional Affiliations & Certification
Learn more
Incident Response Services Datasheet
Download this Resource
Download M-Trends®
Download this Resource
M-Unition™ Blog

APT1 Three Months Later – Significantly Impacted, Though Active & Rebuilding

On 18 February 2013, Mandiant released a report exposing one of China’s cyber espionage units. The group, which Mandiant calls APT1, is one of the most prolific we track in terms of the sheer quantity of information it has stolen. The scale and impact of APT1′s operations compelled us to write the report and release more than 3,000 Indicators to help organizations defend against APT1’s tactics. Read the rest