DoD Cyber Crime Conference Presentation: Recipes for Remediation

Wendi Rafferty and I presented at the DoD Cyber Crime conference in Atlanta, GA. Our presentation, “Recipes for Remediation: Key Ingredients for Building a More Resilient Security Program,” has been posted to the MANDIANT Archive Presentations page here.
During our presentation we covered the lifecycle common to many Advanced Persistent Threat (APT) attacks and then outlined several case studies to illustrate countermeasures organizations have successfully deployed to combat the APT.  The following items were key points we covered during the workshop:
1.       “This can happen to you!” The time to begin preparing for these activities is now, prior to an incident.
2.       Organizations should define remediation success as removing today’s attackers from the environment and improving visibility such that subsequent attacks will be detected more quickly. It is not reasonable to define success as eliminating the APT threat, or as preventing the APT from re-compromising systems in the environment.
3.       Developing a remediation plan is not a one-size-fits-all process. Among other items, successful plans need to consider the attacker’s techniques and capabilities, the organization’s current visibility across their networks and systems, and resource constraints. Organizations can help prioritize remediation activities, given limited time and resources, by considering how each proposed activity helps detect, contain, or respond to the various stages of the attack lifecycle.
4.       MANDIANT has seen numerous organizations succeed at remediating APT intrusions by planning for (continue reading...)