RSA CONFERENCE 2022 – San Francisco – Back in the early 2000s when Mandiant was a small consulting firm in Northern Virginia, Kevin Mandia typically worked on just one incident response (IR) case at a time. Today, Mandia’s team at the now IR giant Mandiant – which Google is in the process of acquiring – works on more than a half-dozen cases concurrently.
The volume of attacks is growing, especially so over the past year, according to Mandia. In recent IR cases Mandiant has been investigating, zero-day attacks and pilfered credentials have become the weapon of choice to infiltrate an organization, overtaking phishing.
“A lot of customers are saying, ‘How long do we have to have our Shields Up?'” he said, in reference to the Cybersecurity and Infrastructure Security Agency (CISA)’s current slogan for warning organizations to operate at heightened alert amid increasing cyber threat activity. “I think you have to keep [them] up. That’s a lesson we’re learning this year,” Mandia said in an interview with Dark Reading this week.
“The impact of a breach is so much graver now,” he said. Not only are ransomware and extortion getting more brazen and chaos-causing with public data leaks and digital blackmail, but cybercriminals are basically catching up with nation-states when it comes to exploiting expensive zero-day vulnerabilities in software, he said.
“In the early days, zero days were the purview of governments. In 2017, you started to see criminal elements arming a zero day,” he said. Today, it’s close to a 60-40 split, with nation-states
still leading in zero-day attacks but with criminals not far behind. “That came sooner than I thought,” Mandia added. “It just tells you how much money you can make hacking.”
But if there’s a bit of good news, it’s that organizations calling on Mandiant for help with an incident are spotting their intrusions sooner: “We’re getting hired earlier in the breach process, and there’s less [attacker] dwell time,” he said.
Specifically, Mandiant saw the amount of time attackers remained unnoticed on a victim’s network dropped to 21 days in 2021, down from 24 days in 2020. That trend has been steady for the past four years in Mandiant’s IR cases.
There’s also a sense of urgency now among cybercriminals to ensure they snag the valuable data or demand their ransom for stolen data, Mandia said. “I was told today that the time frame dwell time used to be that they had access for about seven days, and that’s coming down to four to five days now. That speed means it’s getting harder to monetize” and cybercriminals have to work faster and more publicly to make their money, he explained.
And the stakes are higher than ever for CISOs trying to deter and deflect a big breach. “This is the hardest year to be a CISO,” he said. “Now you’re [also] protecting your people threatened online, your employees, your customers. It’s so much, and it’s an unfair fight with [mostly] no risk of repercussions for the bad guys.”
The threat includes the recent wave of phony or impossible-to-prove public data leak claims by threat actors and other fraudsters attempting to shake down or defame a victim organization.
“It’s impossible to prove a negative,” Mandia said of these phony breach declarations that emerge. And organizations are forced to investigate an intrusion that may not even have occurred.
“It’s becoming more frequent,” he said of this latest form of pressure by cybercriminals. There’s nothing harder to respond to; something that’s public, the hacker is vocal and making claims. And a company can’t dispute them [at first] because they have to figure out the answers first. Those are terrible situations.”
That hit close to home for Mandia because, while Dark Reading was interviewing him on Monday, Mandiant itself became the subject of a fake breach assertion by the LockBit ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to have been retribution for a recent ransomware report by Mandiant.
“Based on the data released, there are no indications that Mandiant data has been disclosed,” Mandiant said in a tweet today
about the claims. “Rather the actor appears to be trying to disprove our June 2, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research.”
Meanwhile, Mandiant is preparing for the completion of its merger with Google. Google announced its intent to acquire Mandiant in March for a whopping $5.4 billion, and Mandia at the time touted the merger as a way to build out Mandiant’s planned strategy of automating specific elements of the IR process. Google’s investment should accelerate that strategy.
“You have to automate as much as you can,” Mandia told Dark Reading this week. Tasks such as detection, collecting artifacts, and log file analysis could be automated, he noted. But there still are parts of IR that remain human tasks, such as attribution and deep-dive forensic analysis.
“If there’s ever a deepfake or false-flag operation, it will be a human that will [spot it],” Mandian said.