The Defender's Advantage Podcast

The Strategic Analysis team at Mandiant Threat Intelligence examineshundreds of discrete data points from numerous sources, distillingtrends from that raw information to identify the most important,common, and damaging cyber threats clients should prioritize in theirdefensive strategies. That’s what we’re talking about on this week’sepisode of Eye on Security with our guest Kelli Vanderlee, Manager ofStrategic Analysis at FireEye.Kelli shares the types of topics the team covers, including industryand geographic-based reporting, trend analysis looking at theevolution of actor types or tactics over time, and examinations ofcyber risks associated with common business situations, such asmergers and acquisitions. Kelli and Luke also discuss the evolvingrole of Chinese cyber espionage actors and how they may be becomingmore aggressive and risk-tolerant than previously believed. We alsodelve into how the Belt and Road Initiative is driving cyberespionage—from China and other nations. In terms of the geopoliticsdriving cyber activity, Kelli believes we will continue to see morenation-states invest in cyber capabilities, as the rewards for thistype of activity often outweigh the risks.Listen to the episode to learn more about strategic analysis and thetrends Kelli’s team is tracking in 2020.

You’ve heard of security validation and know that it’s necessary totest your security effectiveness, but do you know how our teamdevelops the right attacks to test your controls against threatactivity we see in real life?On this episode of our Eye on Security podcast, Henry Peltokangas,Director of Product Management, and Nart Villeneuve, Director ofResearch & Collections, give us an inside look at what goes on behindthe scenes at Mandiant Security Validation.We begin our chat by discussing some of the key benefits of securityvalidation. We then dive into the research Henry’s team conducts totake tactics and techniques that adversaries use in the real world andreplicate them within the Mandiant Security Validation platform.Nart and Henry go on to discuss how Mandiant Security Validationreplicates adversary activity across every stage of the attacklifecycle, and then explain exactly why that is important. Finally, wewrap up the episode by previewing some new features in upcomingreleases, and how Henry and Nart see security validation evolving inthe future.To view the whitepaper mentioned during the episode, visit:https://www.fireeye.com/current-threats/annual-threat-report/security-effectiveness-report.html

In the latest episode of Eye on Security, our host Luke McNamara talksall about the world of operational technology (OT) and cyber physicalsystems with one of our foremost experts on the topic: NathanBrubaker, Senior Manager of Analysis for Mandiant Threat Intelligence.Nathan kicked off the chat by explaining what exactly we mean when weuse the term ‘cyber physical.’ They then turned their attention torelated threats. As it turns out, there are far less attempts byattackers to target these systems than one might believe. Nathan wenton to discuss some of the fundamental differences between OT andinformation technology (IT) systems, and then explained how OT isbecoming more similar to IT, which makes those systems more vulnerableto compromise. Fortunately, even though OT security typically lagsbehind that of IT systems, it’s definitely moving forward in the rightdirection.Listen to the podcast today, and check out the following blog postsreferenced by Nathan during the episode:• Financially Motivated Actors Are Expanding Access Into OT: Analysisof Kill Lists That Include OT Processes Used With Seven MalwareFamilies: https://feye.io/2Wn6jlr• Monitoring ICS Cyber Operation Tools and Software Exploit Modules ToAnticipate Future Threats: https://feye.io/2B5WrVI• Ransomware Against the Machine: How Adversaries are Learning toDisrupt Industrial Production by Targeting IT and OT:https://feye.io/3j4l1Y5• The FireEye Approach to Operational Technology Security:https://feye.io/2DImy5T• TRITON Actor TTP Profile, Custom Attack Tools, Detections, andATT&CK Mapping: https://feye.io/2Wk58CX

We commonly see the same threat actors, techniques and malware poppingup in all corners of the globe, but that doesn’t mean each regionisn’t affected differently. In this episode, our host Luke McNamara,Principal Analyst for Mandiant Threat Intelligence is joined by YihaoLim, Principal Analyst for Mandiant Threat Intelligence, to discusscyber security and threats related specifically to the Asia Pacific(APAC) region.

COVID-19 has brought on a rapid shift to remote work. Manyorganizations were unprepared, so they quickly turned to collaborationplatforms that could help employees get back to work. But with moreapplications comes a bigger attack surface.On today’s Eye on Security podcast, Luke McNamara, Principal Analystfor Mandiant Threat Intelligence talks with Marcus Troiano, ManagingConsultant for Mandiant, about collaboration platform security.We begin the episode by discussing overall best practices forcollaboration tools, including those used for chatting, video andaudio conferencing, and file sharing. The increased use of these toolshas made them a bigger target of attackers and organizations need toensure employees are aware of and protected against relevant threats.Later in the episode, Marcus and Luke discuss issues surrounding theuse of personal devices for work, which can lead to issues such asaccidental data leakage. We also provide a list of recommendations onhow to keep virtual meetings secure so no one can listen in on ameeting, as well as how to properly share a screen withoutinadvertently disclosing confidential data.Listen to the episode today, and check out our related blog post foreven moreinformation:https://www.fireeye.com/blog/executive-perspective/2020/04/security-best-practices-for-collaboration-platforms.html

COVID-19 has rapidly taken over the headlines across the globe. Aswith many other major events, threat actors are quick to adaptrelevant topics as part of their phishing campaigns to increase thelikelihood of success. The same rings true for COVID-19, especiallydue to its global impact.On this latest Eye on Security podcast, John Atrache, PrincipalConsultant for Mandiant, joins me to discuss all things email in thetime of COVID-19. We cover a variety of topics, including how threatactors are continuously updating their phishing campaigns as newdevelopments around the pandemic arise. We also cover the importanceof organizations increasing their vigilance during these challengingtimes, and how to implement quick and effective hardening controls tomitigate the risk of successful phishing attack.Listen to the episode today, and then learn even more by checking outour blog post on COVID-19 themed phishing attacks and how to manageemail phishing risks:https://www.fireeye.com/blog/executive-perspective/2020/03/managing-email-phishing-risks.html

We are back with the second part of our M-Trends podcast where LukeMcNamara, Principal Analyst continues discussing highlights andinsights from this year’s report with Jurgen Kutscher, EVP of MandiantSolutions.We pick back up with the nature of multiple attackers in anenvironment—notably, whether or not they are aware of other attackersin the environment and if they are collaborating. Jurgen thendiscusses the rise of insider threats and how organizations canimprove the monitoring and detection of insider threats.Ransomware use continues to rise—attackers are having success andgenerating revenue, so we don’t expect this trend to level off anytime soon. Jurgen provides steps that organizations can take to reducetheir risk of falling victim to ransomware, and suggests organizationstake a look at our ransomware white paper for more containmentstrategies:https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdfCheck out our podcast today, and also hear Jurgen’s top cyber securityrecommendations for 2020.

FireEye released M-Trends 2020 earlier this year to provide visibilityinto frontline investigations of the most interesting and impactfulcyber attacks of the year. In this first episode of our two-partM-Trends 2020 podcast, Luke McNamara discusses the report with JurgenKutscher, EVP of Mandiant Solutions.We begin the episode by highlighting the key themes from M-Trends2020, such as dwell time and the continued exploitation of legitimatecredentials. Jurgen discusses the decrease in dwell time and whetherit’s due to organizations getting better at detections or the changingnature of attacks. You’ll also hear about trends in cloud security andrecommendations for the healthcare industry when it comes to cloud, aswell as insights into compromise detection by third parties.Listen to the podcast today to dive into M-Trends 2020, and be sure totune in for part two where we discuss insider threats, ransomware, andJurgen’s recommendations for the year ahead.

In this latest episode, we featured M-Trends contributors DominikWeber (Director - FLARE) and Dan Perez (Manager - Adversary Pursuit)to take us on a deep dive of our annual M-Trends report. We discussedhow key metrics from our incident response investigations changed,including: dwell times, source of notification, number of threatactors tracked, and malware families/trends broken down by operatingsystem. Additionally, we highlighted things that stood out to Dominikand Dan, including:-Malware that used email for command and control-Malware that leveraged cryptography to protect further stages foranalysis [execution guardrails!]-How FLARE determines whether a malware sample is a "new" family vs avariant of an existing family we've seen before-Targeted ransomware trends-Chinese threat groups who have been active lately (APT40, APT41,APT5, and several uncategorized clusters), as well as how the recentUS Justice Department indictments may have impacted operations bythose APT groups-Dominik's involvement in the annual FLARE-ON challenge and what it'slike to create a challenge (encrypted web shell)For the full M-Trends report, visit:https://www.fireeye.com/current-threats/annual-threat-report/mtrends.htmlTo find out more about the FLARE-On challenge, visit:http://flare-on.com/

Cloud security is more important today than ever before. Luke McNamarawas joined once again by Martin Holste, CTO for Cloud at FireEye,Chris Schreiber, FireEye product strategist, and JR Weiks, FireEyesecurity principal engineer.In this second of two podcasts on cloud security, they examine how thepoint products and various processes that make up cyber security todaywill set the stage for the future of security operations centers(SOC). The ideal way to initiate this transformation to the SOC oftomorrow is with a single cyber security platform such as FireEyeHelix, which is a cloud-hosted security operations platform.Integrating visibility, protection and detection with advancedanalytics is not a dream of the future, but an achievable realityright now.Check out the podcast, and also learn more about how FireEye Helixseamlessly integrates disparate security tools and augments them withnext generation SIEM, orchestration and threat intelligencecapabilities to capture the untapped potential of securityinvestments.