RSA Conference 2022 – San Francisco – In the early 2000’s, when Mandiant was a small consulting firm in North Virginia, Kevin Mandia usually worked on only one incident response (IR) case at a time. Today, Mandia’s team in the current IR giant Mandiant – which is in the process of acquiring Google – is working on more than a dozen cases simultaneously.
According to Mandia, the number of attacks is increasing, especially in the last one year. In recent IR cases involving Mandiant investigations, Zero-Day Attacks and Pilford Certificates have become the weapon of choice to infiltrate an organization beyond phishing.
“Many customers are asking, ‘How long do we have to keep our shields up?'” Increased cyber threat activity. “I think you have to keep it [them] Up is a lesson we are learning this year, “Mandia said in an interview with Dark Reading this week.
“The impact of a breach is much more serious now,” he said. Not only is ransomware and extortion more shameful and chaotic than leaking public data and digital blackmail, but cybercriminals are being caught up with nation-states in exploiting the costly Zero-Day vulnerabilities of the software, he said.
“In the early days, zero days were the perimeter of the government. In 2017, you started to see criminal elements equipping zero days,” he said. Today, it is close to a 60-40 split, with nation-states still leading zero-day attacks but not lagging far behind with criminals. “It came sooner than I thought,” Mandia added. “It tells you how much money you can hack.”
Silver lining
If there is any good news, however, it is that agencies calling on Mandiant for help with an incident are soon identifying their intrusions: “We are hiring before the breach process, and less [attacker] While staying, “he said.
In particular, Mandiant observed that the time when attackers remained unnoticed in the prey network fell to 21 days in 2021, from 24 days in 2020. This trend has persisted over the last four years in the case of Mandiant IR.
Mandia said there is now a sense of urgency among cybercriminals to ensure their demand for ransom for snatching valuable or stolen data. “I was told today that the timeframe was living time that they accessed for about seven days, and it is now coming down to four to five days. This speed means it is becoming harder to monetize” and cybercriminals need to act faster and more openly. Making their money, he explained.
And the stakes for CISOs trying to prevent and divert a major breach are greater than ever. “This is the hardest year to be CISO,” he said. “Now you [also] The security of your people is threatened online, your employees, your customers. It’s a lot, and an unfair battle with it [mostly] There is no risk of retaliation for bad people. “
Threats include the recent wave of fake or impossible proven public data leaks, attempts by threatening actors and other fraudsters to shake up or try to defame the aggrieved company.
“It’s impossible to prove a negative one,” Mandia said of the origins of the fake declaration. And companies are forced to investigate an intrusion that didn’t even happen.
“It’s getting more and more frequent,” he said of the latest form of pressure from cybercriminals. There is nothing difficult to respond to; Something that is universal, hackers are vocal and demanding. And a company can’t dispute them [at first] Because they have to find the answer first. That’s the decent thing to do, and it should end there. “
It hit near home for Mandia because, while Dark Reading was interviewing her on Monday, Mandiant himself became the subject of a fake infringement claim by the Lockbit Ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to be in retaliation for Mandiant’s recent ransomware report.
“Based on the published information, there is no indication that Mandiant data has been released,” Mandian said. A tweet today
About the claim. “Rather the actor seems to be trying to disprove our June 2, 2022 study on UNC2165 and LockBit. We are behind the results of this study.”
Googling Mandiant
Meanwhile, Mandiant is preparing to merge with Google. Google announced in March that it intended to acquire Mandiant for 5.4 billion, and Mandia at the time called for the integration of Mandiant as a way to create a planned strategy to automate certain components of the IR process. Google’s investment will accelerate that strategy.
“You need to automate as much as possible,” Mandia told Dark Reading this week. He noted that tasks such as identification, pattern collection, and log file analysis could be automated. But there are still parts of the IR that remain human work, such as attribution and deep-dive forensic analysis.
“If ever there was a deepfake or false-flag operation, it would be a man [spot it]Mandian said.