Mandia: Keep Shields Up to Survive the Current Escalation of Cyberattacks

As Mandiant CEO Kevin Mandias company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSA CONFERENCE 2022 – San Francisco – Back in the early 2000s when Mandiant was a small consulting firm in Northern Virginia, Kevin Mandia typically worked on just one incident response (IR) case at a time. Today, Mandias team at the now IR giant Mandiant – which Google is in the process of acquiring – works on more than a half-dozen cases concurrently.
The volume of attacks is growing, especially so over the past year, according to Mandia. In recent IR cases Mandiant has been investigating, zero-day attacks and pilfered credentials have become the weapon of choice to infiltrate an organization, overtaking phishing.
A lot of customers are saying, How long do we have to have our Shields Up? he said, in reference to the Cybersecurity and Infrastructure Security Agency (CISA)s current
slogan for warning organizations
to operate at heightened alert amid increasing cyber threat activity. I think you have to keep [them] up. Thats a lesson were learning this year, Mandia said in an interview with Dark Reading this week.
The impact of a breach is so much graver now, he said. Not only are ransomware and extortion getting more brazen and chaos-causing with public data leaks and digital blackmail, but cybercriminals are basically catching up with nation-states when it comes to exploiting expensive zero-day vulnerabilities in software, he said.
In the early days, zero days were the purview of governments. In 2017, you started to see criminal elements arming a zero day, he said. Today, its close to a 60-40 split, with
nation-states
still leading in zero-day attacks but with criminals not far behind. That came sooner than I thought, Mandia added. It just tells you how much money you can make hacking.
But if theres a bit of good news, its that organizations calling on Mandiant for help with an incident are spotting their intrusions sooner: Were getting hired earlier in the breach process, and theres less [attacker] dwell time, he said.
Specifically, Mandiant saw the amount of time attackers remained unnoticed on a victims network
dropped to 21 days in 2021
, down from 24 days in 2020. That trend has been steady for the past four years in Mandiants IR cases.
Theres also a sense of urgency now among cybercriminals to ensure they snag the valuable data or demand their ransom for stolen data, Mandia said. I was told today that the time frame dwell time used to be that they had access for about seven days, and thats coming down to four to five days now. That speed means its getting harder to monetize and cybercriminals have to work faster and more publicly to make their money, he explained.
And the stakes are higher than ever for CISOs trying to deter and deflect a big breach. This is the hardest year to be a CISO, he said. Now youre [also] protecting your people threatened online, your employees, your customers. Its so much, and its an unfair fight with [mostly] no risk of repercussions for the bad guys.
The threat includes the recent wave of phony or impossible-to-prove public data leak claims by threat actors and other fraudsters attempting to shake down or defame a victim organization.
Its impossible to prove a negative, Mandia said of these phony breach declarations that emerge. And organizations are forced to investigate an intrusion that may not even have occurred.
Its becoming more frequent, he said of this latest form of pressure by cybercriminals. Theres nothing harder to respond to; something thats public, the hacker is vocal and making claims. And a company cant dispute them [at first] because they have to figure out the answers first. Those are terrible situations.
That hit close to home for Mandia because, while Dark Reading was interviewing him on Monday, Mandiant itself became the subject of a fake breach assertion by the LockBit ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to have been retribution for a recent ransomware report by Mandiant.
Based on the data released, there are no indications that Mandiant data has been disclosed, Mandiant said in
a tweet today
about the claims. Rather the actor appears to be trying to disprove our June 2, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research.
Meanwhile, Mandiant is preparing for the completion of its merger with Google. Google announced
its intent to acquire Mandiant
in March for a whopping $5.4 billion, and Mandia at the time touted the merger as a way to build out Mandiants planned strategy of automating specific elements of the IR process. Googles investment should accelerate that strategy.
You have to automate as much as you can, Mandia told Dark Reading this week. Tasks such as detection, collecting artifacts, and log file analysis could be automated, he noted. But there still are parts of IR that remain human tasks, such as attribution and deep-dive forensic analysis.
If theres ever a deepfake or false-flag operation, it will be a human that will [spot it], Mandian said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Mandia: Keep Shields Up to Survive the Current Escalation of Cyberattacks