Overview
Proactive Preparation
A global clothing retailer suffered a cyber breach involving the theft of its customers’ personal data. After breach remediation, the organization’s security leaders revamped their infrastructure and recognized the need to assess the effectiveness of their cybersecurity posture and existing operational controls in the event of another targeted attack.
- Assess
- Retailer learns from existing response shortfalls
- Create
- Roadmap for immediate and long-term security improvements across the attack lifecycle
- Validate
- Need for additional security investment and periodic capability maturity evaluations
Challenge
Previous Cyber Breach Initiates Red Team Assessment
Proactive preparation is key to getting ahead of targeted attacks, including the performance of independent evaluations of the organization’s prevention, detection, and response capabilities. Virtually all breached organizations think their security program is effective—until they find out the hard way that it isn’t.
Mandiant provides world-class incident response for the most complex breaches worldwide. Knowing this, the retailer engaged with Mandiant for a Red Team Assessment to evaluate their detection and response capabilities against targeted attacks. A simulated attack scenario was conducted in the client’s environment that emulated modern, real-world threats. Mandiant’s Red Team worked with the retailer’s business leaders to identify a set of objectives that focused on high-risk areas for the organization. Over the course of an eight-week engagement, Mandiant experts evaluated the organization’s prevention, detection, and incident response capabilities by simulating behaviors and tactics of a determined threat actor across an entire attack lifecycle.
Solution
Attack lifecycle simulation identifies detection and response weaknesses
The Red Team’s evaluation went far beyond compliance checklists—it examined the client’s ability to detect malicious activity and respond to events. This was done by testing the existing processes, tools, and staffing that was actually deployed in response to targeted threat activity. Mandiant experts simulated a full attack lifecycle—from initial reconnaissance to mission completion, to ensure no stones were left unturned.
Some examples of the Red Team’s approach included:
- Initial compromise to establish foothold: The Red Team used recon-based phishing, domain fronting, obfuscated payload, and registry persistence to gain entry.
- The attack: Mandiant dumped credentials, cracked passwords, and bypassed 2-factor controls to maintain presence.
- Mission completed: Red Teamers bypassed 2-factor controls that restricted administrator access and revealed personal customer data.
Results
Taking Action
The assessment uncovered significant gaps in the retailer’s effectiveness of existing processes, increasing the organization’s awareness of current vulnerabilities that attackers could target in a future attack.
The customer received tactical and strategic recommendations for immediate and long-term improvements. Since multiple misconfigured controls were discovered and business risks continued to accumulate, the CISO worked closely with Mandiant experts to strengthen the organization’s detection capabilities and ultimately reduce overall incident response time.
The Mandiant Red Team engagement succeeded in helping the organization learn from their incident response shortfalls and build a roadmap for immediate and long-term improvements. Ultimately, the results of this assessment helped justify additional security budget and the need for periodic capability maturity evaluations to maintain the retailer’s ability to outmaneuver advanced attackers.
More About Company
Global retail manufacturer gains best practice security knowledge, risk-free
Knowing the retail industry is a primary target for cyber criminals around the world, this retail manufacturing customer looked to Mandiant to test its current incident response capabilities. The customer’s security team gained first-hand experience responding to a real-world attack—without actual consequences to the business.