MANDIANT AT CEIC 2010

Written by Brian Gwinner

Got the time?

As part of the Digital Analysis Lab track at CEIC, MANDIANT Director Rob Lee will be teaching Super Timeline Analysis. You will learn how to establish a single framework from which you can analyze multiple examinations of time based data in this hands-on practical.

Move over Iron Man – MIR 1.4 is coming!

We wanted to let the dust settle from the other release of superior red metal before we announced ours!

MANDIANT is releasing the next version of MANDIANT Intelligent Response at CEIC 2010.

Here are just some of the features MIR 1.4 includes:

• Support for the OpenIOC open indicator format – a free-to-use, open XML schema for describing indicators of compromise.
• Agent support for Windows 7, 64-bit systems for non-memory forensic audits.
• Agent support for Windows Vista 32-bit systems.
• Agent support for 64-bit memory forensic audits for Windows 2k3 systems.
• Optional Agent installation into “self-hiding” mode.

So what else has changed since MIR 1.3?

Come visit us at CEIC booth 706 and find out!

Tags: CEIC 2010, MIR, OpenIOC

Combat the APT by Sharing Indicators of Compromise

Written by Matt Frazier

At MANDIANT, we value human intelligence – ground-truth, intelligent decision-making and adapting to your enemy’s tactics. Since expert humans can’t be everywhere, we’ve built a means to exchange enough ground-truth and decision-making so security experts can spend more energy applying expertise, less time parsing and pruning stale datasets and leverage their expertise across organizations and between compromises.

Historically, compromise data has been exchanged in CSV or PDFs laden with tables of “known bad” malware information – name, size, MD5 hash values and paragraphs of imprecise descriptions supplemented by ad-hoc exchanges between targets.

MANDIANT, inspired by field pressures, operation after operation, imagined a way to exchange not only indicators of specific compromises but structures which formalize the human-intelligence of decision-making, rules, exceptions, and ongoing adaptability. Our Indicators of Compromise (IOCs) were shaped operationally detecting real-world threats. We help our clients detect the APT right now, and they’re exchanging information about it using IOCs.

Conventional compromise datasets consist of table after table of immediately-stale data capturing few, if any, relationships. An Indicator of Compromise (IOC), however, is a Boolean decision tree that discriminates an indicator from a false-positive, theory from ground truth. What’s more, when you discover an exception or extension to a well-known-IOC you can describe it concisely and proactively, authenticate its source and re-evaluate your existing data to detect new instances of old compromises. This way, as a threat group adapts to your detections, you retain an IOC’s identity and maintain the value of intelligence shared with other targets over time.

Importantly, IOC is industry-standard XML so you already have tools and a community of experts who can comprehend, transform, and leverage new data immediately. Unlike many XML standards however, it’s simple – developed operationally with an eye toward staying adaptable, transformable, and scalable. IOC describes relationships which indicate compromise – this makes the format resilient to new data formats, data sources and decision engines.

At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned.

Tags: APT, humint, MIR, sizzle, xml

Wanted: Web Ninja

Written by Matt Frazier

MANDIANT’s Product Team is searching for that ninja wide-receiver superspy master chef of web developers – the one who shotguns AJAX and sweats JavaScript, swims in PHP (or rafts on class five Ruby or spear fishes in deep sea Python); one who builds web applications on a dare only to tear them down and create them anew with obsessive perfectionism. Of course they need LAMP stack experience and general consulting/developer interface panache because this dev will work side by side with Team Consulting to integrate field-developed solutions into product features. The position is in the Alexandria, VA office. Resumes to recruiting@mandiant.com. Find the full description at http://www.mandiant.com/jobopenings/PROD0500.htm

Tags: careers, MIR, product

Recent Posts

• Stuxnet Memory Analysis and IOC creation
• Malware Persistence without the Windows Registry
• State of the Hack: M-Trends: State of Remediation
• Memory acquisition and the pagefile(s)
• Web Historian: Reloaded

Follow us on Twitter

• Mandiant: Security on ATMs needs to be revisited http://bit.ly/aPfu48 @jamierbutler #blackhatevents -hb
• Mandiant: RT @kanyewest It is even better than I could have imagined. -mjg
• Mandiant: Thanks for hitting the M party last night, y'all. See you next year and next webinar. http://bit.ly/aGfY6q mjg #blackhatevents

MANDIANT News

• Advanced Persistent Threat – Intelligence Brief
• Oktoberfest - The MANDIANT Incident Response Con (MIRCON)
• Fresh Prints Webinar Series
• Don’t Believe the APT Hype: Incident Detection and Response That Works