Introducing Mandiant Active Breach & Intel Monitoring

Mike Reynolds
Oct 04, 2021
4 mins read

“According to a recent white paper I read, the average dwell time of a cybersecurity compromise is 24 days. If it was our organization, I would have been fired 22 days ago.”

                    - Anonymous CISO at a mid-size healthcare organization

Regardless of the size of your organization or security team, threat intelligence is vital information that keeps your environment protected from a breach. However, there is a problem with most threat intelligence that organizations rely on these days—it’s old. Really old. Because most threat intelligence has already “aged out” from being useful, it has little to no connection to attacker techniques used in active breaches that are relevant to your specific industry or company. If your security team is forced to use old and unreliable threat data, or worse yet, you need to manually curate it—that is going to be time consuming, costly and provide you with inconsistent results.  

To address this challenge, Mandiant is introducing Active Breach & Intel Monitoring. This solution leverages Mandiant’s incident response engagements, the foundation of our Threat Intelligence repository, to identify the presence of current, relevant Indicators of Compromise (IOCs) within your IT environment. Regardless of the size of your security team, you are enabled to rapidly identify, investigate, and take actions to reduce the impact of targeted attacks. In this way, Mandiant is operationalizing the full spectrum of Mandiant Threat Intelligence through expert automation and decision models that understand and adapt to your environment.

Active Breach & Intel Monitoring taps into the Mandiant knowledge graph to not only match known, public tactics and techniques from actors against specific profiles, but tactics that may be unpublished, yet identified in Mandiant’s active Incident Response (IR) engagements. This assures you will always have the most current information from real, active breach investigations performed worldwide. Additionally, Active Breach & Intel Monitoring searches your retained data for IOC matches over the past 30+ days.

Fast Time-to-Value

Active Breach & Intel Monitoring is an expert as-a-service offering, that can quickly and easily be deployed. Once operational, Active Breach & Intel Monitoring essentially connects your Security Operations Center (SOC) to Mandiant Incident Response, continuously analyzing your logs, events, and alerts in real-time and historically for matches to IOCs from active breaches as they are discovered globally. The detected IOCs identified in your IT environment are prioritized and evaluated against Mandiant’s IC_Score, IOC relevancy and category; then immediately reported to a member of your security team or organization. The result is reduced attacker dwell time (24 days it too long!), ensuring your team is confident in the ability to efficiently detect and respond to breaches.

Continuous Breach-related IOC Monitoring & Assessment

Active Breach & Intel Monitoring continually analyzes and evaluates security data to identify IOCs within your environment. It matches active IOCs with information from endpoint agents, network sensors, appliances, and other security technologies to identify patterns indicative of a potential threat or security incident. Once a threat is identified an alert is issued to your security team for mitigation or incident response.
Active Breach & Intel Monitoring provides security practitioners visibility into the most relevant and active threats that Mandiant identifies across the industry, so that you can understand the significant and damaging threats that may exist in your environment.

product screen shot

Figure 1: Active Breach & Intel Monitoring leverages Mandiant Threat Intelligence to analyze alerts and events that are associated with IOCs to find potential security breaches quickly

Sources and Indicators

Active Breach & Intel Monitoring supports the following sources and indicator data:

Indicator sources:

  • Mandiant Indicator List

Indicator Types:

  • Domains
  • IP Address
  • Hash (SHA1, SHA256, MD5)
  • URLs

In addition, IOC matches are prioritized against alert-based contextual information and Mandiant’s IC_Score, a data science-based “indicator confidence” scoring algorithm to weed out benign indicators and help your team focus on high-priority, relevant IOCs.

product screen shot

Figure 2: Active Breach & Intel Monitoring provides a timeline preview of IOCs that may impact the environment


From the CISO to the security analyst, security practitioners do not want to be the last to know when their environment is compromised. Active Breach & Intel Monitoring provides insight into matches of vetted Mandiant IOCs using your security data to find compromises fast and reduce attacker dwell time. Don’t be the last to know—let Mandiant Active Breach & Intel Monitoring find the security compromises in your environment before anyone else does.

For more information, please contact us.