Mandiant Stories

An Intriguing Update to Mandiant Advantage

Colby DeRodeff, Jonathan Cran
Aug 10, 2021
6 min read
|   Last updated: Aug 10, 2023

Today Mandiant made a significant announcement in furthering the capabilities of the Mandiant Advantage SaaS platform with the acquisition of an emerging Attack Surface Management (ASM) leader, Intrigue. With this acquisition we also welcome Jonathan Cran and the Intrigue team to the Mandiant family. We are very excited to have Jonathan, a known industry visionary and entrepreneur, join Mandiant as we continue to build out our Advantage capabilities.

ASM is quickly emerging, driving value through asset and exposure visibility in internet-facing attack surface. It fills a gap between asset discovery, vulnerability management and threat intelligence. The best ASM players enable operationalization of intelligence by integrating into many open, on-prem, and cloud data sources—ultimately ensuring exposures are correlated with critical assets and fixed as quickly as possible.

Intrigue stood out as we looked at the ASM space. The team has been working closely with government and large enterprises for the last few years, gaining impressive traction and scale. The platform demonstrated the flexibility, deep domain model, and the ability to quickly operationalize intelligence—exactly what Mandiant Advantage customers need.

Given this emerging space—and in the wake of large-scale attacks against software such as Accellion, SolarWinds, and Exchange, not to mention large-scale supply chain breaches—we wanted to drive Intrigue’s capabilities into the hands of our customers. The integration of the Intrigue team and platform brings us closer to our goal of ensuring critical intelligence can be quickly disseminated, driving action for security teams across every facet of their operation.

Attack Surface Management Within Mandiant Advantage

As we integrate the Intrigue platform over the coming months, we are committed to deliver ever-increasing cross-module value to our Mandiant Advantage customers. The following are just a few highlights:

  • Visibility of both known and unknown assets. You can’t fix what you don’t know, and Intrigue’s approach to unknown asset discovery is the best we’ve seen. By integrating many disparate sources and treating asset discovery as a continuous investigation process, unknown assets can be found, categorized and managed. This capability provides a foundation for future value, but today is difficult for security teams to fully implement.
  • Deep insight into exposure. Visibility of assets is simply not enough to prioritize action. Without information about the importance of a given asset or its vulnerabilities, it’s impossible to prioritize. Through active, direct interaction to test for critical vulnerabilities, we can drive awareness of exposures—and when a fire drill is needed, we can sound the alarm with confidence.
  • Threat and intelligence-driven vulnerability awareness. Finally, and perhaps most importantly, detecting exposure is only useful if the latest intelligence can be quickly operationalized—ideally tailored to a customer’s actual attack surface. This is the killer app—ensuring detections made with boots on the ground can be brought to all customers as quickly as possible—ultimately driving less, and less severe incidents.

Better Together — the Mandiant Advantage SaaS Platform

Launched in October of 2020, Mandiant Advantage brings technology scale to the expertise and intelligence gained on the front lines of Incident Response. Advantage is the SaaS interface and central location to access the Mandiant technology suite. With the addition of Intrigue to the portfolio, Advantage will now incorporate an ASM module that can be combined with Threat Intelligence, Automated Defense and Security Validation.

intrigue1

ASM is a significant addition to the Mandiant Advantage platform, and for a defender’s capability to discover impact and prioritize defenses based on risk. Let’s take a quick look at how the modules operate and interact.

Threat Intelligence: Intelligence from the front lines. Allows a defender to know what tactics and techniques adversaries are leveraging RIGHT NOW. As attackers are utilizing X vulnerability, we see Y tactic being used, and we are able to identify the specific indicators of compromise (IoC) and the tech stacks being targeted. By combining ASM and Threat Intelligence, organizations will be able to operationalize, contextualize and prioritize new intelligence that is most relevant.

Security Validation: Measures the effectiveness of security controls deployed within as organization; allowing security teams to optimize, rationalize and prioritize their security efforts both from a budget and person power perspective. By integrating intelligence into the Security Validation program, controls can be tested against the latest TTPs actively being leveraged by threat actors. By combining ASM and Security Validation, organizations can validate if their security controls are effectively blocking or detecting attacks to their external attack surface.

Automated Defense: Combining expertise and intelligence with machine learning to power SOC event/alert correlation and triage—it’s like having a machine-based Mandiant analyst integrated into your security program. The expert models analyze billions of events and alerts from multi-vendor controls to look for true positives or incidents, saving massive amounts of time in analyst hours. By combining ASM and Automated Defense, additional context is provided to Automated Defense, making alerts more relevant and actionable.

Attack Surface Management: ASM provides a continuous, scalable approach to discover thousands of different asset and exposure types across on-premises, cloud, and SaaS application environments. Not only are assets discovered, but technologies in use are identified and vulnerabilities are confirmed—not just inferred. By adding the complete Mandiant Advantage suite into ASM, the information about the attack surface is prioritized and validated, allowing cyber defenders to reduce their external exposures efficiently and effectively.

An Intriguing Case Study

Modern large-scale incidents often unfold in a predictable pattern. Let’s have a look at an example. We have a threat actor group out to steal IP for financial gains. Let’s suppose this threat actor group becomes aware of a vulnerability in a widely deployed technology solution, we can call it ACME-Tech, leveraged by many companies in their ever-evolving cloud environments. The adversary profiles the technology and utilizes a known vulnerability, giving them remote access to the host system running ACME-Tech. They begin targeting high-value targets around the globe. Most of the attacks go undetected and the adversary gains deeper and deeper levels of access to multiple organizations.

One of these organizations notices some suspicious activity in the form of large, encrypted payloads being transferred to a remote host. They fear the worst and call in Mandiant to investigate. Upon investigation, the Mandiant consultant discovers the compromise and begins to investigate the initial infection vector.

As the investigation unfolds, critical early warning information is sanitized and shared with the Mandiant Advanced Practices team. They discover this has the potential to be much more than an isolated incident. An UNC (uncategorized threat group) profile is created and the TTPs, vulnerability and any publicly available IoCs are distributed to the Mandiant Intel Grid.

The Mandiant Intel Grid informs customers via the Threat Intelligence modules, while simultaneously updating Automated Defense, Security Validation and ASM.

  • intrigue2Automated Defense models are updated to detect and create investigations based on the known attack pattern. 
  • Validation tests are updated to include the behaviors being leveraged by the adversary so controls can be tested.
  • ASM is informed of the vulnerability and technology checks, allowing customers to be aware of the danger to any instances of ACME-Tech and the need to review for IoCs. Without delay, ASM communicates with already-known hosts to validate whether the vulnerability exists and is exploitable. 

At this point Security Validation tests are executed to determine if any attempts to exploit ACME-Tech would be successful. Security teams can answer the question, "Will the ACME-Tech attack be detected, prevented or missed by the controls that are in place?"

With this knowledge they can determine risk mitigation steps and determine if they need to do a full-blown incident response. The customer is now monitoring for any future attempts in Automated Defense, has validated their controls will detect any such attempt, and has discovered they do have instances of the vulnerable tech in their environment.

Sounds like a long weekend just got easier. That’s the Mandiant Advantage