Mandiant’s new solution allows exposure hunting for a proactive defense

Google-owned cybersecurity provider Mandiant has launched Mandiant Proactive Exposure Management, a suite of products and services to help organizations focus on “attackable exposures” rather than just vulnerabilities.

“Exposures go beyond vulnerabilities and are potential exploitable entry points that can be used by an adversary to gain initial compromise into an organization or supply chain ecosystem,” said Michael Armistead, director of outbound product management at Google Cloud Security. “An exposure could be a vulnerability, a server misconfiguration, or a security control missing detections for specific indicators of compromise (IOCs) or commonly used threat actor tactics, techniques, and procedures (TTPs).”

Exposures can include vulnerable software, zero days, stolen credentials, unknown assets, missing multi-factor authentication, and domain typosquatting, according to Armistead.

Mandiant’s exposure management claims a holistic approach to enterprise security, as opposed to disparate point solutions, and includes scanning organizational assets to know what’s exposed, who’s targeting them, their ability to handle and attack, and if an attack is happening in real time. 

“Organizations are dealing with sprawling attack surfaces and historic vulnerability volume, with the definition of vulnerability expanding beyond just CVEs from the NVD,” said Erik Nost, a Forrester analyst. “Security professionals increasingly need to worry about misconfigurations, benchmarks, policy violations and so on, as sometimes it is not a patch that should be prioritized, but an ineffective or weak control that should be remediated.”

Exposure discovery combined with global threat intelligence

Mandiant’s new solution, as the first step, attempts to gain visibility into all the assets belonging to the organization by combining exposure discovery with global threat intelligence. This will include business-critical asset discovery and classification, assessment for vulnerabilities, IOCs and misconfigurations, and exposure enumeration.

This attack surface visibility is achieved through Mandiant’s in-house, industry-standard technologies like external attack surface management (EASM), cyberattack surface management (CAASM), and cloud security posture management (CSPM).

“With Proactive Exposure Management, we’re meeting customers where they are in their cybersecurity journey; working with them to build a program based on the existing security stack, skilled headcount, and budget. Apart from EASM, CAASM, and CSPM, the solution also delivers digital risk protection service, breach and attack simulation, and Red Teaming capabilities, training, and mentorship,” Armistead added.

As the second leg of this approach, Mandiant’s exposure management combines threat intelligence from various sources to educate security teams with an attacker’s initial reconnaissance techniques and the entire attack lifecycle. This helps the teams to carry out informed, risk-based prioritization of exposure mitigation.

“The solution cross-checks over 250 data sources, including Mandiant Threat Intelligence, NIST’s National Vulnerability Database, CISA’s Known Exploited Vulnerability catalog, and custom content created by Mandiant, to assign severity levels and provide guidance for risk remediation,” Armistead added.

Mandiant’s Threat intelligence spans four categories including breach intelligence from annual telemetry of 1100+ incident response engagements; adversary intelligence from 385 global intelligence analysts and security researchers as well as daily malware samples; machine intelligence from ML models designed to extract information from attack-related binary files; and operational intelligence from four international cyber threat operations center servicing customers through Mandiant’s managed detection and response (MDR) offerings.

“By leveraging all of these sources of threat, Mandiant is able to curate the most relevant threat intel for customers in real-time, added Armistead.

Pentesting and real-time intrusion alerts

After identifying the scope of the attack surface and areas of the threat landscape to focus on, Mandiant’s new solution offers a capability to continuously test and validate the effectiveness of the organization’s security controls.

The penetration testing involves attack emulation, using real-world tactics, techniques, and procedures (TTPs) that adversaries use in the wild.

During a red team or penetration test, Mandiant consultants and customers jointly agree upon the mission objectives while simulating attacker behavior or TTPs across the attack lifecycle.

“At the beginning of the engagement, they will scope the testable attack surface to identify potentially vulnerable assets using various open source intelligence tools and techniques for initial reconnaissance. The consultants will then attempt to gain initial access by exploiting vulnerabilities or through social engineering attacks,” Armistead added.

Depending on the agreed-upon mission objective, the consultants may either deploy a command and control (C&C) infrastructure or move laterally. This process continues until the team achieves the mission objective.

Customers that want to manage the testing themselves, can use Mandiant Security Validation to emulate threat actor TTPs across the full attack lifecycle, according to Armistead.

Mandiant’s security validation verifies whether a customer’s existing controls alerts are on or block specific attacks, which in turn identifies gaps, misconfigurations, and opportunities for optimization. 

Mandiant also uses breach analytics to map IOCs to security events logged in a customer’s environment. This is achieved through a combination of Mandiant threat intelligence, analytics, and ML, which takes curated IOCs recovered from active and ongoing incident response engagements and matches them against the IOCs in a customer’s environment. Upon relevance trigger it alerts the security teams about a possible attack in progress.

“Establishing an exposure management program enables CISOs and security leaders to shift left from fully reactive to a proactive security posture. Instead of talking in terms of theoretical risk, security can motivate stakeholders to take action against very specific, known threats and exposures,” Armistead said.