Mandia: Keep ‘Shields Up’ to Survive the Current Escalation of Cyberattacks

As Mandiant CEO of Kevin Mandia company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSA CONFERENCE 2022 – San Francisco – Back in the early 2000s when Mandiant was a small consulting firm in Northern Virginia, Kevin Mandia typically worked on just one incident response (IR) case at a time. Today, Mandia’s team at the now IR giant Mandiant – which Google is in the process of acquiring – works on more than a half-dozen cases concurrently.

The volume of attacks is growing, especially so over the past year, according to Mandia. In recent IR cases, Mandiant has been investigating, zero-day attacks, and pilfered credentials have become the weapon of choice to infiltrate an organization, overtaking phishing.

“A lot of customers are saying, ‘How long do we have to have our Shields Up?'” he said, in reference to the Cybersecurity and Infrastructure Security Agency (CISA)’s current slogan for warning organizations to operate at heightened alert amid increasing cyber threat activity. “I think you have to keep [them] up. That’s a lesson we’re learning this year,” Mandia said in an interview with Dark Reading this week.

“The impact of a breach is so much graver now,” he said. Not only are ransomware and extortion getting more brazen and chaos-causing with public data leaks and digital blackmail, but cybercriminals are basically catching up with nation-states when it comes to exploiting expensive zero-day vulnerabilities in software, he said.

“In the early days, zero-days were the purview of governments. In 2017, you started to see criminal elements arming a zero-day,” he said. Today, it’s close to a 60-40 split, with nation-states still leading in zero-day attacks but with criminals not far behind. “That came sooner than I thought,” Mandia added. “It just tells you how much money you can make hacking.”

Silver Lining

But if there’s a bit of good news, it’s that organizations calling on Mandiant for help with an incident are spotting their intrusions sooner: “We’re getting hired earlier in the breach process, and there’s less [the attacker] dwell time,” he said.

Specifically, Mandiant saw the number of times attackers remained unnoticed on a victim’s network dropped to 21 days in 2021, down from 24 days in 2020. That trend has been steady for the past four years in Mandiant’s IR cases.

There’s also a sense of urgency now among cybercriminals to ensure they snag the valuable data or demand their ransom for stolen data, Mandia said. “I was told today that the time frame dwells time used to be that they had access for about seven days, and that’s coming down to four to five days now. That speed means it’s getting harder to monetize” and cybercriminals have to work faster and more publicly to make their money, he explained.

And the stakes are higher than ever for CISOs trying to deter and deflect a big breach. “This is the hardest year to be a CISO,” he said. “Now you’re [also] protecting your people threatened online, your employees, your customers. It’s so much, and it’s an unfair fight with [mostly] no risk of repercussions for the bad guys.”

The threat includes the recent wave of phony or impossible-to-prove public data leak claims by threat actors and other fraudsters attempting to shake down or defame a victim organization. 

“It’s impossible to prove a negative,” Mandia said of these phony breach declarations that emerge. And organizations are forced to investigate an intrusion that may not even have occurred. 

“It’s becoming more frequent,” he said of this latest form of pressure by cybercriminals. There’s nothing harder to respond to; something that’s public, the hacker is vocal and making claims. And a company can’t dispute them [at first] because they have to figure out the answers first. Those are terrible situations.”

That hit close to home for Mandia because, while Dark Reading was interviewing him on Monday, Mandiant itself became the subject of a fake breach assertion by the LockBit ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to have been retribution for a recent ransomware report by Mandiant. 

“Based on the data released, there are no indications that Mandiant data has been disclosed,” Mandiant said in a tweet today about the claims. “Rather the actor appears to be trying to disprove our June 2, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research.”

Read more:

You can also read this: Government Agencies Warn of Increase in Cyberattacks Targeting MSPs

Leave a Reply

Your email address will not be published. Required fields are marked *