The Defender's Advantage Podcast

On this episode we have Daniel Kappelman Zafra, a manager on Mandiant’s Cyber Physical Threat Intelligence team, to discuss a recent blog he and has team have released on the trend of lower sophistication threat actors targeting operational technology (OT). We discuss a precursor blog they put out last year, specific to this trend and the usage of ransomware by financially motivated actors to OT, and we talk about what Daniel is seeing change in this space. Our conversation touches on the various motivations that appear to be shaping this activity, and what it means for the potential proliferation of this as a tactic for hacktivists, opportunistic threat actors, and more. One of the things that I think really comes across in this episode is the thoughtful analysis that Daniel and his team apply to ascertaining the drivers of this trend and where it may be going. It’s an insightful look into an area of threat activity we will likely continue to see headlines around this year.  For more information on the discussion in this episode of Eye on Security, please check out the aforementioned blogs: -  https://www.fireeye.com/blog/threat-research/2021/05/increasing-low-sophistication-operational-technology-compromises.html- https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html 

Host Luke McNamara is joined by Paul Tumelty, Government Security Manager, to discuss how Mandiant is partnering with governments in EMEA to help foster cyber capacity building in nations across the region. Paul walks through how governments are thinking about this, from the crafting of high-level strategies to working through the tasking of the appropriate entities for cyber defense, and establishing relationships with the private sector and beyond. Paul also highlights some of the challenges—and even advantages—that various nations may have depending on where they are in their journey of establishing a government framework to better address a changing threat landscape, especially in areas such as critical infrastructure protection. What Luke found particularly interesting and exciting about the work Mandiant is doing in this space is the holistic approach Paul and his team are taking—beyond just ensuring the implementation of the right technologies—but looking at every aspect of what contributes to a nation’s strategy to continuously provide for a defense that can meet emerging threats. Luke and Paul even discussed the importance of early education initiatives to help foster the future workforce as part of capacity building. 

In the latest episode of Eye on Security, we invited Jens Monrad, Head of Mandiant Threat Intelligence, EMEA to join Luke for a conversation on how the threat landscape has changed in the past year and how it continues to be impacted by the ongoing pandemic.  We reviewed the cyber events of the past year: pandemic-themed phishing, multiple APT campaigns against vaccine research and development, and ransomware targeting healthcare systems. Jens revealed that the biggest change still impacting the cyber threat landscape is the sheer volume of people working from home. He also highlighted the potential increase in the cyber criminal ecosystem due to job losses, and how individuals might turn to cybercrime in order to make money. Check out the episode now to hear how the pandemic has impacted APT activity and disinformation campaigns. Jens also shares a unique piece of advice on the threat landscape that is helpful to remember as we all work to better secure our environments. For additional information on how the pandemic and more is influencing the cyber threat landscape, check out our latest M-Trends 2021 report. 

Mandiant Advantage, our SaaS platform, was always intended to house more than just our threat intelligence—and now it does. With the addition of Mandiant Automated Defense and Mandiant Security Validation, we are continuing to roll out new features in a platform that is easily accessible, as well as easy to deploy and scale.  Mike Armistead, SVP of Mandiant Advantage Products, joined host Luke McNamara to discuss what security teams will be able to do with these new features. Mike joined FireEye during the Respond Software acquisition, in which Respond’s solution became what is now known as Mandiant Automated Defense. Mike shared how the addition of Mandiant Automated Defense to the Mandiant Advantage platform enables the automation of tier one triage alerts.  One thing that really stuck out about their conversation is how weaving together Mandiant Automated Defense, Mandiant Security Validation, and Mandiant Threat Intelligence helps organizations prioritize threats that matter to them, fast. Listen to this episode to get a walkthrough of how a SOC analyst can use the Mandiant Advantage platform to access intel about an alert they receive. You’ll also get a glimpse into what’s next for the Mandiant Advantage platform. 

Have you ever wondered what it takes to develop our annual M-Trends report? The short answer is: a whole lot! Our host Luke McNamara asked Regina Elwell, Senior Principal Threat Analyst on the Advanced Practices Team, and Steve Stone, Senior Director for Advanced Practices, to take us behind the scenes so we can see exactly what goes into building an edition of M-Trends.  Steve started by discussing the sheer amount of data collection that is required, and how the team has to pore over this data—which comes directly from our incident response investigations—to determine what is a trend and what is not. Regina and Steve also touched on the evolution of the report from its first iteration in 2011. Not surprisingly, the reports have gotten more robust and include new data points almost every year.  We also discussed some of the highlights from our latest report, M-Trends 2021, and interpreted some of the key findings, including drops in median dwell time, increases in internal detections, impact of ransomware, and notable malware families from 2020. Additionally, we covered some of the process and approach Mandiant puts into grouping new threat groups (UNCs) and Steve and Regina’s favorite threat actors. Listen to the podcast now, and when you’re done, read the full M-Trends 2021 report. 

We are wrapping up our “Big Four” series with a country that has beenone to watch for quite some time: Russia. And who better to join mefor this episode than our Vice President for Mandiant ThreatIntelligence, John Hultquist.We started off this episode discussing how Russian cyber threatactivity evolved to what we know today, from the days of MoonlightMaze and Agent.BTZ. We then shifted the conversation to some of themost notable Russian threat groups and the difficulties of assigningattribution at the organizational sponsorship level. While many APTgroups from the “Big Four” may blend together various types of threatactivity, Russia has utilized a particularly interesting mix of cyberespionage, information operations, and disruptive attacks over theyears.John brought up many notable Russian incidents, including: theOlympics, the Ukrainian power grid, the targeting of elections, andthe SolarWinds supply chain breach. We also discussed some of thechallenges in communicating threat intelligence to both customers andwider audiences. To cap off the series, John delved into howorganizations should think about not only Russian threat activity, butthe operations and campaigns from North Korea, Iran, and China.You can stay ahead of threat actors like those from the “Big Four” byjoining Mandiant Advantage Free where you’ll have access toup-to-the-minute threat intelligence: http://feye.io/MA

The third installment of our “Big Four” series on China is filled withso much great information that it’s our longest episode yet. LloydBrown, Principal Analyst for our Custom Intel Team, and ScottHenderson, Principal Analyst for our Cyber Espionage Team, joined ourhost, Luke McNamara to peel back the layers of China’s cybercapabilities.Similar to past episodes in this series, we started at the beginningof China’s cyber operations—dating back to 2003. Scott and Lloyd tookus through a detailed look at all the stages of China’s operations,including the shift in 2015/2016 from being “clumsy and noisy” tostealthy. Lloyd brings up a great point that’s worth hearing abouttheir use of CVE exploits (which came into play with the recentMicrosoft Exchange server exploits).We also discussed how China’s cyber activity is driven by economicinterests such as the Belt and Road initiative, the nature of theiroperations surrounding global elections, APT41’s cybercrime activityin addition to cyber espionage, and where they think China’soperations are headed. You’ll definitely want to stick around to thevery end. Since our initial recording occurred before the MicrosoftExchange exploits, Luke decided to follow up with Lloyd to get histake on HAFNIUM and the UNC groups we’re tracking related to thatactivity.Know the threats that affect your organization with up-to-the-minutethreat intelligence by signing up for Mandiant Advantage Free:http://feye.io/MA

How does Reddit handle malicious or suspicious coordinated activity ontheir platform? Our host Luke McNamara asked Aylea Baldwin, ThreatIntelligence Lead at Reddit, to answer that question and more duringthis episode of Eye on Security.During the discussion Aylea shared a few ways Reddit is uniquecompared to other social media networks—its tolerance for varyinglevels of behavior on different communities, the lack of user datacollection, and the way posts are amplified through voting. The votingfeature is unique to Reddit and Luke was curious to know how threatactors leverage it as part of their influence campaigns. As it turnsout, the answer to that question isn’t so simple since foreign actorshave to get buy-in from people to up-vote their posts.We ended our conversation with Aylea’s thoughts on the future ofdisinformation and deep fake technology, which is a concern in thesecurity and many other industries, and something that can have a hugeinfluence on sites such as Reddit.

Did you know that women are disproportionately affected by cybercrime,cyber stalking, cyber bullying, cyber harassment, and image-basedsexual abuse? We asked Cris Kittner, Principal Analyst at MandiantThreat Intelligence, and Lillian Teng, Director of ThreatInvestigations from Verizon Media to join us for a discussion aroundtheir recent talk on digital safety for women and practical strategieswomen of all ages can take to increase their online safety.Cris and Lillian provided their reasons and motivations for puttingtogether the talk, which they first presented at the Grace HopperCelebration in 2020. They highlighted the connection between physicaland cyber stalking and the need for these conversations to benormalized. Far too often, Cris and Lillian heard from youngprofessionals that they believed the cyber harassment that washappening to them in the workplace or at conferences was “normal.”To combat the issues many women are facing online, Chris and Lillianprovided a list of practical considerations that women should follow,such as using a password manager, knowing what permissions are beinggiven to third-party applications, understanding that Snapchat imagescan be recovered, adjusting (or eliminating) location tags, and how toreport abuse happening on social media sites.Listen to the episode today for online safety strategies that can helpyou or a loved one stay safe online.

We’re back with the second episode of our “Big Four” series focused onNorth Korea, Iran, China, and Russia. We honed in on Iran for thisone, and to help explore their cyber capabilities, we invited SarahHawley, Principal Analyst for Mandiant Threat Intelligence, and LeeFoster, Senior Manager of Information Operations Analysis.Sarah kicked off the episode by providing an overview of Iran’s pastoffensive cyber activity and how these capabilities have developedover the years. Lee shared how they have also grown their usage andwillingness to use information operations (IO) and how his teamapproaches attribution and analysis of this disinformation activity.We then touched on drivers of Iranian cyber threat and their apparentincreasing willingness to target democratic processes. Sarah alsodiscussed Iran’s destructive activity going after industrial targetsin the oil and gas sectors through password spraying and spearphishing operations.As always, we closed out the episode with thoughts about what Sarahand Lee think we might see from Iran’s cyber operations in the comingyears. Listen to hear their predictions and stay tuned for ourupcoming episodes on China and Russia.Listen to the podcast now, check out the “Big Four” episode on NorthKorea if you haven’t already, and then head over to our Eye onSecurity page for even more episodes.