Security Validation

Today, the Mandiant Intelligence Validation Research Team (VRT) published VHR20240904 - Content Expansion, a Security Content Pack focusing on CVE-2024-0778, CVE-2024-3272, and Campaign 24-023.  This content pack includes 12 new Actions and 9 new Files. For full details on this release, see the Release Notes on the Mandiant Documentation Portal.

How to get security alert from browsers?

Hi everyone,I’m running an (PII Removed by Staff) and want to ensure the highest level of security for our user data on Google Cloud. What are the best practices for securing sensitive information and protecting against breaches?Thanks for your advice!

Hi All,I'm receiving the following error when attempting to access an advisory notification."you have insufficient permissions to access the resource, or because a Principal Access Boundary policy is blocking your access to the resource. "Clicking the link using any account including super admin gives the same error.Thanks,-BPIT

Many MSV deployments include multiple on-premise actors and one or two Mandiant cloud hosted actors. Many use cases like data extraction or malicious file transfers (MFT) will require that the on-premise actors can communicate with the cloud hosted actor. Mandiant requires clients to submit a list of public IP addresses that the on-premise actors will use to communicate with the cloud hosted actor. The MSV operator often does not know this information and may resort to an internal ticket or inquiry to a network administrator to find this information out and that can take more time than wanted. A simple and faster alternative is to create Host-CLI actions utilizing the cURL utility to identify the egress IP address of each on-premise actor. Yes, this works on network actors as they are linux based and can run Host-CLI actions using a bash shell. An action for multiple shell types can be similarly created as cURL is supported on many OS platforms including windows (cmd.exe or po

The MSV Report Builder is a powerful analytics tool. It is easy to get carried away with all the widgets available after running a campaign of attack simulations and emulations when crafting an Executive Debrief Report . A Debrief should be "brief" but also stick to a set of simple principles. In this case less is more for those who are charged with making risk decisions.  The report template should include a text section to record the analysis and just enough data widgets (graphs, charts, tables) to back up and color the analysis. The analysis itself should be recorded in "your" words using concise sections like : Objective, Scope,  Performance Analysis, Key Issues (good & bad), Potential Solutions and/or Next Steps. Using a debrief process that simply presents fair and concise information to  those in charge of risk will help empower them to make decisions in the best interest of your data assets. Example Debrief Report

Probably the most asked question in all of Mandiant Security Validation.  In over 4 years, this question has been asked by customers I work with hundreds of times.  While there's a hundred possible reasons the log wasn't matched to the action, there's only a few questions needed to figure it out. First and foremost, was there actually a log generated? MSV cannot find something that does not exist. Windows group policies and many other types of security protections may not generate a log. Never fear, the next question can help answer this one.  What kind of action is it? Seems kind of simple, but knowing what kind of action it is will narrow the search drastically.  Malicious file transfer actions are not written to disk, so don't expect any EDR logs. Host CLI actions seldom hit the network, so don't expect any firewall, proxy, network appliance logs. DNS actions are simply name resolution requests. If DNS resolutions a

  Shells, shells and more shells!Do’s and don’t for creating Host CLI Actions The Mandiant Security Validation(MSV) platform is distinctly different from attack simulation technologies. Security validation includes vast integrations with defensive technologies and attack execution across the entire enterprise security environment. It is not limited to endpoint security controls. It uses real, active attack binaries to test the effectiveness of security controls.The platform is open and allows users to create custom actions needed in their environment.A little reviewMSV offers four shells for writing command line scripts. This article will speak to three of those

Your Red Team engagement found a vulnerability. Here’s how you can use Mandiant Security Validation to ensure it gets fixed.     The Mandiant Security Validation(MSV) platform is distinctly different from attack simulation technologies. Security validation includes vast integrations with defensive technologies and attack execution across the entire enterprise security environment. It is not limited to endpoint security controls. It uses real, active attack binaries to test the effectiveness of security controls. MSV has the ability to create scheduled jobs and monitors. This provides a way to repeatedly test a vulnerability unti

Directors Follow these steps to upgrade to a 4.14.0.0 Director on Rocky Linux 8 while preserving your data and settings. For an existing Director virtual appliance, on version 4.13 or earlier:  Optional: If using a static IP, go to Settings > Director Settings, click Network and note the following network information for the Director (required for Step 5): Director IP address Director gateway Director DNS server (if applicable) Upgrade your existing Director to version 4.14.0.0. After this step, you will have a 4.14.0.0 Director that is still running on CentOS 7. See

We just acquired Mandiant Security Validation. We are starting to deploy actors, but we want to be optimal when deploying them to get as much information out of MSV as quickly as possible to show leadership that the investment was a good one. Does anyone have any tips on how to do this?

Hello, I'm trying to deploy/make use of the AEDA (advanced environmental drift analysis) module. How do i use it effectively in my environment?

Mandiant Security Validation (MSV) is an automated and continuous approach to testing the efficacy of an organization's security controls against cyber threats. Security Validation is informed by timely threat intelligence and executes automated and continuous testing of security controls with the use of real attacks. Effective security requires more than just implementing controls. Understanding their real-world effectiveness is crucial for protecting your organization from cyber threats. Mandiant Security Validation tackles this challenge by providing a comprehensive solution to test and evaluate your security posture. Baseline Testing provides a starting point for measuring the effectiveness of your security controls. Baselines are essential for creating a repeatable process to generate large scale metrics used to measure trends and get a deeper understanding of your security pos

Many of the MSV Integrations especially in the SIEM category utilize field mappings to associate data to variables used by MSV to attribute log or alert events to Actions. Typical mappings include: source IP, destination IP, host name, user, source Port, destination port, file hash, detection time, and event description. The field mappings process is a cycle of acquiring a log sample, setting up initial mappings, running an action, and then verifying if an alert has been attributed to the action. If not, review suspicious events for the partial match and identify which fields need correcting. The process can be complicated; however, it can be streamlined utilizing these few steps: Assumption:  The integration is already configured, suspicious events enabled, the integration query is syntactically correct and the integration passes the Check Health test. Additionally the user knows how to trouble shoot event attrib

Many times a user may want to be able to find what job the details in a report are provided from. As you can see in my first screen shot here you just see the results. In order to have the job information listed you just need to edit your report.  So scroll up to the top and click edit report. Once the report is in edit mode you will select the data table and edit widget. This will allow you to modify the columns in your report. You will be adding a column which contains the JobID. So select the jobs then JobID.  

I think we all know that pilots have a rigorous set of checks to complete before they take off in their plane. They are mainly safety checks to ensure that the plane can take off and land safely. The Advanced Environmental Drift Analysis module (AEDA) in the Mandiant Security Validation platform can be used similarly to ensure that the security control ecosystem can perform its core functions of protecting data assets.   A Quick Primer for AEDA.   The Advanced Environmental Drift Analysis module is designed to schedule attack simulations at predefined intervals targeting specific security controls where an expected “known good” response has already been determined. This predetermined response is best determined using the Effectiveness Validation process when onboarding MSV. This process addresses security control telemetry visibility and e

Do we have documented exclusions for MacOS endpoint actors? I did not see anything in the documentation. I'm using "exclusions" as my search term. Thanks in advance for the guidance.

Hi,Hoping someone can help me.Do google provide any documents related to pen testing, assurance, certification achievement/assignment, to demonstrate their products follow a secure development lifecycle and are safe and secure for use? Similar to the Microsoft trust portal?Thanks, Ben.

So I lost my password  to <PII removed by staff>

In this post, I will show you how to use Mandiant Security Validation (MSV) and available exploits to validate whether your internet security controls can detect and/or prevent a Chrome browser exploit. As a Network Security Administrator or Red Teamer, your task is to validate whether your network security controls can detect and/or prevent a Remote Code Execution exploit targeting Google Chrome 78.0.3904.70 (CVE-2019-13720)The steps will be as follows: Find the exploit that will be used to test the security stack. Create network action, in this case it will be Web Action. Run the network actions between an internal actor (representing a victim PC) and a cloud actor (representing the adversary exploit kit server). Validate the efficacy of the internet security controls and address any gaps. 1-Find the exploit that will be used to test the security stack: A quick research, you came through the explo

Bdobrý den, prosím o reset hesla na e-mail (<PII removed by staff>) děkuji, napište mi prosím na e-mail <PII removed by staff> nebo <PII removed by staff>  děkuji Jan Pokorný

In this post, I will show you how to use VirusTotal and Mandiant Security Validation to validate that your internet security controls can detect and/or prevent command and control communication for a malware sample. As a security analyst, you have been tasked with validating whether your network security controls can detect and/or prevent Cobalt Strike Command and Control communication.. The steps will be as follows: Find the Cobalt Strike malware sample that triggered both crowdsourced IDS and YARA rules. Download the PCAP artifacts of the malware. Create network actions by importing the PCAP. Run the network actions between an internal actor (representing a victim PC) and a cloud actor (representing the adversary C2 server). Validate the efficacy of the internet security controls and address any gaps. Having access to VirusTotal you can search using the following filter: crowdsourced_ids:"Cobalt

VHR20240423 - April 23, 2024 The Mandiant Intelligence Validation Research Team (VRT) has published VHR20240423 - M-Trends 2024, a Security Content Pack focusing on M-Trends 2024. This content pack requires Director version 4.12.1.0-0 or higher. If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director (see The Mandiant Content Service 

The actors are simply a rebuild / reconnect.  PT is a rebuild / reconnect and reimport or the Protected Actor plus re-register of PA. Actors Windows Actors, macOS Actors, and installable Linux Actors can be upgraded to 4.14.0.0 through the standard upgrade procedures for Actors: upgrade the Director to 4.14.0.0, and then upgrade Actors through the Director web interface. See Update Security Validation Components for steps to upgrade your Actors. Appliance Actors on releases prior to 4.14.0.0 should be removed and replaced with equivalent 4.14.0.0 Actor Appliances. These replacement Actors can either be registered as a new Actor with the Director (and the pre-4.14.0.0 Actor removed from the Direct

VHR20240411 - April 11, 2024 The Mandiant Intelligence Validation Research Team (VRT) has published VHR20240411 - Content Expansion, a Security Content Pack focusing on CVE-2024-21893, CVE-2024-25153, Campaign 24-002, and Campaign 24-004. This content pack requires Director version 4.12.1.0-0 or higher. If you’ve enabled the Content Service, this content pack will automatically download and be applied to your Director. Otherwise, you can download the security content pack&nbsp