Video: 10 Minute IT Jams - Another update from Mandiant
Mandian believes cyber threats are evolving rapidly.
Charles Carmichael, Chief Technology Officer at Mandian Consulting, says organisations can no longer assume they are immune. "Mandian is a cyber security organisation that was founded about 20 years ago based on the premise that breaches are inevitable," he said. "What we wanted to do is help organisations both respond to security events but also prepare for and mitigate the risk and the impact of those events."
Speaking on the "10 Minute IT Jams" podcast, Carmichael outlined how Mandian, recognised internationally by enterprises, governments, and law enforcement agencies, has developed market-leading threat intelligence from experience on the cyber frontlines. He explained that Mandian's data-driven approach has revealed striking patterns in hackers' behaviour. "What we've learned over the years is that threat actors operate in very similar ways and they follow a similar methodology and so it's easier for us to help companies defend against threats based on what we've learned from responding to intrusions," he said.
When asked what keeps chief security officers (CSOs) awake at night, Carmichael pointed straight to "the threat of multifaceted extortion."
This attack model, he explained, goes well beyond traditional ransomware. "It's a combination of ransomware, a combination of data theft, a combination of extortion," Carmichael said. "Threat actors today that are financially motivated… gone are the days where they steal credit card numbers to try to sell that on the dark web… they could conduct an intrusion operation in a few days and extort a company for a few million dollars."
According to Carmichael, attackers deploy a calculated blend of pressure tactics, from encrypting data and threatening to release sensitive information to personally targeting employees and even their families. "They're creating a lot of disruption to companies. They're creating a lot of pressure in a lot of different ways," he added.
Carmichael pointed to a recent Mandian report that found 'dwell times' — the period between a cybercriminal breaching a system and being detected — have decreased globally. While some might interpret this as progress, the picture is complicated. "I'll start by saying that there is a larger volume of intrusions where the threat actors are announcing their presence in the environment by way of writing encryptors across an environment and leaving an extortion note," he said. "They're telling the victim organisation that they're there and they're conducting their intrusions in a much quicker pace.
"Gone are the days where a threat actor may be stealing data from an environment for many, many months." Carmichael explained that financially motivated hackers now often want to "conduct as much disruption as they possibly can to pressure the company into paying [an] extortion demand."
However, he did acknowledge that organisations are making real improvements. "Certainly companies are getting better at cyber security — they're buying new technologies, they're hiring new people, they're building new processes. They definitely are getting a lot better at security," he said.
Despite this, he noted that it still takes "on average a few weeks for organisations to learn that there is a security event," though this is faster than a few years ago, when hackers could lurk undetected for many months — or even years — particularly in the Asia Pacific, Australia, and New Zealand regions.
Drilling down into the Asia Pacific (APAC) region, Carmichael identified two key types of threat actors. "The first is the group… conducting multifaceted extortion. They are typically folks operating out of Eastern Europe that are financially motivated that will create disruption to get paid," he explained.
The second major category is more shadowy. Carmichael described "espionage operators that are breaking into organisations to steal information not necessarily to sell it but to use it for either political, economic or military advantage." These attacks tend to be more subtle and can persist over a "prolonged period of time" — sometimes years.
"In certain countries we see certain threat actors conducting longer scale intrusions," he said. "I think the espionage operators are having some substantial impact here in Australia but [it's] not really talked about very openly."
Asked about Mandian's priorities for the future, Carmichael outlined an intense caseload supporting organisations dealing with breaches and building better defences. "We're helping a lot of organisations continue to build their cyber security defences and so there's a lot of time that we're spending on that right now," he said.
He also highlighted Mandian's integration with Google Cloud services. "We're trying to collaborate with the Google cloud and the broader Alphabet organisation as much as it can to share threat intelligence, to share a lot of frontline learnings about what we're seeing from a threat perspective, what we're seeing clients asking for," Carmichael said. He described ongoing work on "improvements and integrations to the Google Chronicle product and a variety of other security products that we've got out there."
For those wanting to learn more about Mandian's research, Carmichael recommended visiting the company's blog. "We've got a lot of research that we put out there, whether it's threat research that we're learning about based on intrusions that we're investigating or just the way that we are using AI to help us better defend networks," he said. "We've got a great blog out there that describes how many Mandian consultants are using AI — you know, Bard, ChatGPT and a variety of other technologies — to help us streamline what we do on a day-to-day basis."
In closing, Carmichael summed up the company's mission in a rapidly-changing cyber landscape. "It's been a pleasure having you on the jam Charles and learning more about Mandian and what you guys do. We look forward to hearing more from Mandian very soon," the host concluded.
"Awesome, thanks so much Tom," Carmichael replied.