This case study demonstrates how MANDIANT Intelligent Response™ (MIR) is used to identify, scope and remediate the Advanced Persistent Threat (APT) in the government and defense industrial base. The APT consists of skilled and sophisticated hackers who deploy a complex arsenal of malware against specific targets in the Defense Industrial Base (DIB), financial, manufacturing and research industries.
Our client is a diversified Fortune 500 corporation that provides products and services to domestic and foreign governments and commercial customers. They conduct multiple lines of business, and they operate throughout the world. The client suspected an intruder was in their network; however, they did not know the extent of the compromise, nor what — if any — data had been breached. They called MANDIANT's team of APT experts to validate their concerns; scope the intrusion and provide a remediation strategy.
The persistent intruders used tools and techniques that left trace evidence on each computer system they compromised. These host-based indicators of compromise are present every time the intruders attack a network. MANDIANT deployed a team of consultants to the client site aremd with MIR and their previous knowledge of the threat.
The team evaluated the extent of the intrustion and identified compromised systems by collecting and analyzing volatile and static host data. MANDIANT began the investigation by first looking for all of the signatures they were aware of including those collected during previous investigations, theose provided byt the client and generic indicators of system configurations that could signify system compromise. As data was collected and analyzed, they identified several new indicators that were unique to that client's environment. The team added them to the search list and used MIR to scan the entire network again to look for the new indicators.
During this process, MANDIANT investigated 20,000 hosts, search for over 180 different indicators of compromise and provided the client a list of affected systems within the first four days on-site.
MANDIANT determined the intruders had accessed the client's network multiple times over the course of 14-months. They gained initial entry through a phishing attack targeted at several senior executives. The company had responded to this first intrusion by discovering and removing malware from the victim machine. They had investigated a sampling of other machines in the organization and determined that no machines were compromised in the same manner.
At this point, the client believed the attack had been remediated successfully and the threat removed. But, in fact, the attackers had left undiscovered back doors on the network. Those back doors allowed the attacker to continue pilfering the information from the company.
Once the list of known and suspected indicators was analyzed and all the suspicious system configurations were reviewed, MANDIANT consultants worked hand-in-hand with the client to create a remediation plan tailored to their circumstances. The plan included short-, medium- and long-term strategies to protect their network from further attack and the APT, while addressing the needs of various business units and senior management.
MIR's ability to conduct a comprehensive investigation of the enterprise allowed MANDIANT's response team to identify all of the compromised hosts, all of the compromised user accounts and all of the compromised data on the network. Moreover, the client didn't have to take any systems off-line and minimized the disruption to daily operations, all while doing so at a revolutionary scale and speed.
Because the problem was solved so quickly and completely, the client did not have to repeat costly remediation work or wonder if they had found the entire problem. MIR helped them respond to the incident on their terms, not the intruder's ...saving them time, effort and money.