On March 15, Mandiant hosted an executive briefing over breakfast
in New York City. The location in the W Hotel in Downtown NYC
overlooked the 9/11 Memorial and the rising One World Trade
Center-an arresting view and a unique setting for this event.
Former Secretary of Homeland Security Michael Chertoff kicked off
the morning by discussing his perspective on the global threat
landscape. He touched on Iran’s cyber warfare capabilities in
particular. He remarked on recent alleged Iranian attacks against
the BBC and said that there is no point in debating the reality of
war. If one side believes they are engaged in such a battle,
then that is reality-and “Iran clearly believes they are
already participants in cyber war.” He also noted that Iran’s
capabilities are already quite advanced. After being hit by Stuxnet,
Iran views it as imperative to be prepared to respond in kind.
It is always nice to see someone like Mr. Chertoff connecting the
dots so articulately on a technical level. At one point, he
commented about how important it was to not just look for malware.
Smart responders, he said, need to look for all trace evidence of
compromise in order to fully understand the scope of an incident.
Coincidentally, this is trend #1 in our recent M-Trends
report, and Mr. Chertoff described the problem with a
malware-centric approach perfectly.
Richard Bejtlich spoke
next and used a role-playing exercise to help the audience
understand the challenge of responding to targeted threats. His
premise was simple: “Pretend I’m a law enforcement agent who
comes to your office and tells you that you are compromised, and
that I have your own internal documents as evidence. What do you do
This provoked discussion and the audience started
asking questions about the nature of the intrusion and what they
should do to respond. As we explored the scenario through Q&A,
it became clear that most organizations lack the visibility they
need to adequately respond to attacks. What about your organization?
If you found out today that you had been the victim of a substantial
breach, where would you look first? How would you validate the
intrusion? How could you discover the scopeor identify what had been
Those of you who have attended Mandiant events know
that we are pretty light on the product pitches (we often don’t
mention our products at all). However, we do have a product that
helps answer the questions that Richard was posing. Mandiant
Intelligent Response has helped hundreds of companies answer
the question “Now What??” when they are on the receiving
end of the scenario Richard outlined in New York.