80 likes | 320 Views
Who is MANDIANT?. Engineers, consultants, authors, instructors & security experts Chased criminals attacking the Fortune 500, govt. contractors, and multi-national banks Responded to over 1 million compromised systems in over 60 organizations
E N D
Who is MANDIANT? • Engineers, consultants, authors, instructors & security experts • Chased criminals attacking the Fortune 500, govt. contractors, and multi-national banks • Responded to over 1 million compromised systems in over 60 organizations • Find evil & solve crime through our products & services
Services • Incident Response • Incident Response Management • Malware Analysis • Program Development • Incident Response Exercises • Computer Forensics • Forensic Examination • Litigation Support • Expert Testimony • Application & Network Security • Application & Network Assessments • Secure SDLC • Product Testing • Wireless Assessments • Penetration Testing • Social Engineering • Architecture Design • Research & Development • High-Sensitivity • Emerging Issues • Cutting Edge
MIR (Host Interrogations) • Made expressly for incident responders • Based on years of IR knowledge • Built by experienced system developers • The right forensic features • Plus real scalability • Equals enterpriseIR at speed • Faster, less disruptive, less expensive • Repeatable, more accurate investigations • Comprehensively evaluate the environment
Accelerating enterprise IR MIR Controller and Agents deployed pervasively… or only to systems of interest. Investigate entire infrastructure or just a subset based on your needs. Use MANDIANT provided Indicator of Compromise DB or develop your own. Remediation based on a more complete scope of the attack. Organization postured to re-scan with new IOCs or conduct deep-dive investigations on specific assets.
NTAP Service (Network Analysis) • Identify Intruder Activities in Near Real-Time • Detect and collect known malicious network traffic • Automatically perform post processing and decryption (when possible) • Describe Attackers Activities and Movement • Determine intent and process of compromise • Determine and understand intruders targeting and methodologies • Discover exfiltrated data from encrypted network streams (when possible) • Provide an Actual Damage Assessment of Attackers Activities
What’s an indicator? File Path: \system32\mtxes.dll File Name: Ripsvc32.dll OR Service DLL: Ripsvc32.dll PE Time Stamp: 2008/04/04 18:14:25 MD5: 88195C3B0B349C4EDBE2AA725D3CF6FF Registry Path: \Services\Iprip\Parameters\ServiceDll AND Registry Text: Ripsvc32.dll File Name: SPBBCSvc.exe File Name: hinv32.exe OR File Name: vprosvc.exe AND File Name: wuser32.exe File Size: 50,000 to 90,000
Washington, DC • 675 N. Washington Street • Suite 210 • Alexandria, VA 22324 • (703) 683-3141 • New York • 24 West 40th • 9thFloor • New York, NY 10018 • (212) 764-0435 • Los Angeles • 400 Continental Blvd • El Segundo, CA 90245 • (310) 426-2151