FireEye, Inc.'s (FEYE) Q3 2021 Earnings Conference Call September 9, 2021 1:00 PM ET
Company Participants
Andrew Huang - IR
Charles Carmakal - SVP, CTO Mandiant
Nick Bennett - VP of Mandiant Strategic Services
Conference Call Participants
Andrew Huang
Good morning. Good afternoon and good evening. This is Andrew Huang from FireEye Investor Relations. I'm here with Charles Carmakal, Senior Vice President and CTO of Mandiant and Nick Bennett, Vice President of Mandiant Strategic Services.
During the course of this call, we may make forward-looking statements which are subject the risks and uncertainties that are listed on our website and SEC filings. With that, I'll hand it over to Charles.
Charles Carmakal
Excellent. Thanks so much, Andrew. And if you could flip to the next slide, just before we get started, I want to provide the group with my background as well as ex background. So I'm Senior Vice President and CTO at Mandiant and been here for almost 10 years. And I'm based out of Washington DC. I work with folks like Nick and a number of other consultants to help organizations both respond to security incidents. We also try to help them mitigate the risk of security intrusions by taking what we've learned, all the breaches that we've investigated to help them become more resilient to attacks. And before I worked at Mandiant, I was at PWC for about a decade. I'm helping organizations across the globe, also manage security risks. Next slide.
Nick Bennett
And my name is Nick Bennett. There you go. I'm the Vice President of Consulting at Mandiant and I've been working…
Charles Carmakal
Nick, you just, when I mute,
Nick Bennett
Sorry. Thank you. My name is Nick Bennett and I'm the Vice President of Consulting at Mandiant and I've been working at Mandiant for almost 15 years now. And across that time, I've been involved in virtually every aspect of our consulting practices from offensive security to security architecture to strategic consulting, and a significant amount of experience in incident response. I spent years driving investigations for Mandiant and now I lead a global team of consultants that help organizations contain and remediate security incidents and also to transform their security architecture and cyber defenses, especially after an incident. And we also help them achieve significant security objectives.
So things like helping them navigate securely migrating assets to the cloud and expanding their cloud presence. And there's been such a high demand for these types of services that we've been accelerating, hiring and we're also hoping to leverage, manage advantage to scale our expertise in the future, the next slide back to you Charles.
Charles Carmakal
Excellent. Allright. So from an agenda perspective, we want to spend the next about 30, 40 minutes or so talking about first of all, what are some of the notable threats that we've observed over the past six months? For many of you that may have joined, one of my updates about half a year ago I would've provided you with an update on as to what we saw for the prior six months. And so right now I want to talk about what are we seeing over this the past six months since then I want to talk about some of the considerations that we're talking to CEOs and boards about as they assess their cybersecurity maturity and the investments that they need to make in order for them to become more defendable against advanced attacks.
And then we want to talk about what are some of the security enhancement to considerations that organizations are thinking about both from a breach response perspective in terms of what are the things that they need to do after a security incident, but also what are the things that organizations should do to mitigate the risk and the impact of a security incident that may occur in the future. And we're going to be drawing from our experience, actually helping organizations both respond to incidents as well as the work that we do to help them transform security posture. Next slide, Andrew.
All right. So, the past six months we've seen an incredible amount of threats and it's really fascinating to see some of the things that are occurring. The first point that I wanted to cover is around ransomware and multifaceted extortion and really what I mean by multifaceted extortion is it's a way that we describe the type of threat that we see nowadays, no longer are we dealing with just the disruption of business operations through to deployment of ransomware encryptors what we find is financially motivated criminals are leveraging a lot of different techniques to convince victim organizations, to pay fairly high extortion demands. And those extortion demands are sometimes in the seven figure range, or sometimes the eight figure range. And the reason why they're able to convince so many victim organizations to pay it's not just because they're disrupting business operations now, they're also doing things like stealing data from organizations and threatening to publish that information that they've stolen.
And if you think about the risk calculus for these victims, and there's the way that they think about approaching an extortent situation, a lot of times victims don't need to pay a threat actor because they've got good enough backups in place, and they're able to recover through standard restoration processes. But the dynamic changes when there's a of materially sensitive data that could be exposed to the public and the public could be competitors, it could be other criminal organizations and it could be a nation state to sponsor threat actors and so the dynamic is quite different nowadays.
We also see the extortion angle through the threat actors actively reaching out to journalists and looking to amplify the incident at an organization and apply pressure to those victim organizations. We see threat actors reaching out to business partners and customers and victims. And so, again, there's a lot of different ways in which threat actors are now trying to convince victim organizations to paying substantial extortion demands and unfortunately unless something dramatically changes and that that changes are going to require support from businesses, from the security community, as well as from the government, I think we're going to continue to see a lot of ransomware and a lot of multifaceted continue. And this is really the number one way in which financially and motivated criminals monetize their intrusions.
The second point that I wanted to cover is an ongoing and a new wave of intrusion activity by the Russian Government. So, many of you are going to be familiar with the wave of intrusion activity from December 2020, that's sometimes referred to as the solar winds attack. The threat actor that was behind that attack has been continuing to conduct intrusions, but we're starting to see another wave of significant activity against a variety of organizations in the, in the United States and Europe in the Middle East and other parts of the world.
And we're actively investigating a number of these intrusions and what's really interesting and fascinating about this most recent wave of activity, what's interesting about this most recent wave of activity is that the way in which the attackers are getting access to organizations it's somewhat similar to what happened last year in terms of third party compromises, but nowadays we're actually seeing them compromise, third party organizations, fourth party organizations, fifth party organizations. And so the chain or the attack path in which they ultimately get to their intended targets is much much more expanded than what we've seen in the past.
And so, we may see the attacker break into one smaller organization to get access to a different organization, to get access to a different organization, which ultimately gets them access to their intended target and so being able to in investigate that multiple hops that the attackers are taking is this proven to be pretty difficult and there's a number of organizations that are actively digging into the intrusion activity right now.
We continue to see intrusion by China-based threat actors. There's a variety of groups that operate out of China either as a contracted entity that might do work on behalf half of China's MSS or perhaps we actually are also seeing government employees that are conducting intrusion activities. There's been a number of ways of very notable intrusions. Earlier this year, we saw intrusions impacting US government entities as well as defense contractors by the exploitation of vulnerabilities in VPN software and actually these -- some of the vulnerabilities were previously known, but there's also new vulnerabilities that the attackers have been able to identify and exploit to be able to get access to organizations.
One thing that I've noticed that's very different about these Chinese intrusions nowadays as they -- as compared to maybe five years of age is five years ago, they were pretty loud, they were pretty noisy. As you invested intrusions into organizations, there's a lot of evidence, a compromise. Nowadays, many of these Chinese operators, they do care about attribution. They, don't want to get caught and if they do get caught, they don't want it to be known that they are the ones that conducted the intrusions. And so they're spending a lot of time and money and effort to try to reduce their footprint and to try to make attribution much more difficult, by using commonly available, publicly available tools or cracked versions of commercially available penetration testing tools to help facilitate their intrusions.
Over the past six months, we've also seen a rise of insider threats and increased demand from our clients to help them manage and monitor and address the insider threat problem. Part of the issue comes from you, certain governments attempting to collect intelligence from individuals that work in organizations across the globe. For example, China's got what's known as a Thousand Talents Program where they very openly are trying to learn from industry leaders and notable researchers and professionals from across the globe typically Chinese nationals that are paid by the Chinese government, in addition to the employment and their salaries from US government or US commercial organizations or other organizations in the world, but beyond the estate sponsored actions associated with insider threats, we also see employees of organizations that are looking to make some side income, and we are seeing them look for ways in which they can extort the organizations that they work for, perhaps steal data and then collaborate with other threat actors on the internet.
And have certainly been some notable allegations of major intrusions that have involved insiders. Some were real, many of them weren't real, but we are noticing an increase a real threat around insider threats, but also organizations that are trying to find more effective ways to monitor and manage insider threats.
And then the final point that we saw over the past six months is we are seeing a spike in a activity of the exploitation what's known as zero day vulnerabilities. And essentially this is just a vulnerability where the knowledge of the vulnerability and the knowledge and the tools to exploit the vulnerability are publicly available or perhaps available in small circles, but there is no patch available by the vendor. And so, earlier this year, we saw vulnerabilities in Microsoft Exchange and Pulse Secure and Excel on FTA and a variety of other, commonly use technology platforms where criminals, as well as state sponsored actors learned about these vulnerabilities and did mass exploitation, sometimes compromising maybe dozens of entities or hundreds of entities and in the Microsoft exchange example from March to this year, we saw over a 100,000 entities that were actually impacted. So we do think that this is going to be a continued trend over the next several years. So pretty fascinating activity.
All right, slide, please. So I want to talk about a few notable cyber-security events and the first event that I wanted to cover is an attack against a large number of organizations that leveraged a very common popular remote monitoring and management solution. So a Florida-based technology company made this RMMs solution that was used by a lot of managed services providers, as well as other organizations to help monitor and manage the software that was running on their computers across the enterprise. And based on some initial estimates, it's believed that over a thousand organizations were impacted roughly around July 2 of this year, in which a financially motivated criminal group that goes by the name of Our Evil had identified security vulnerabilities or zero day vulnerabilities in this particular RMM solution. And they were able to exploit it across the internet and essentially what they did was they pushed out bullalicious software to all the endpoints that they were able to get access to the administrative console for this RMM solution.
And then disrupt those businesses and again, it's estimated that north of a thousand organizations were impacted on the July 4 weekend. The threat actor Our Evil that had asked for a few different amounts of money to provide a universal decrypter to anybody that was actually directly impacted by this security incident and they initially asked for a very large laughable amount of money, but they publicly asked for $70 million for a universal decryor that is notable because that is the highest known extortion demand that we've seen at least publicly for an organization or series of organizations that dealt with security incidents.
What was also interesting about this is I don't think the threat actor anticipated that they would ever get $70 million because very shortly after asking for $70 million in private communications, they asked for $50 million. So right off the bat, they discounted the extortion demand by $20 million.
What's also really notable is given the surge in disruptive attacks perceived to have been generated by criminals in Eastern Europe, particularly in Russia we saw a fairly unprecedented event where President Biden called President Putin and basically demanded action against ransomware operators. And what very surprising that happened is very shortly after that that call the, cGroup essentially disappeared from the internet organizations that were actively talking to the Our Evil group lost all communications, the $infrastructure that was set up on the internet, including their victim shaming sites and communication sites, and just infrastructure that we knew about essentially disappeared from the internet and disappeared from the internet for almost two months or so.
Now surprisingly the infrastructure resurfaced a few days ago, and we're still trying to assess whether or not the, Our Evil intrusions were going to resume, but it's pretty notable to see that the presidents of two countries have talked about this problem and there were some immediate actions that were who were observed.
The other thing that was really interesting about this event and this is very notable because it hasn't happened like this in the past, is that a decrypter for all of the incidents associated with Our Evil on July 2nd was made available. The organization that made the technology RM product started distributing that software, the decryptors to impacted organizations. Now the vendor said that they and confirmed that they didn't pay the extortion demand. But just the fact that they were able to get access to a decryptor and provided to all impacted organizations is very notable and, and very game changing from a security perspective. Andrew, next slide, please.
The next notable event that I want to talk about is the event against a critical infrastructure organization, several months ago, I think this was really a watershed event that a lot of people think about really changing the way we all think about cyber security from a day to day, everyday person perspective. And essentially what happened is a threat actor that goes by the name of Dark Side, compromised the network of a US based critical infrastructure provider and as a result of that, the critical infrastructure provider as a preventative measure, shut down the infrastructure. And they did this because of safe safety reasons from a human safety perspective, as well as from an environmental safety perspective.
In the early days, the organization didn't quite understand what the potential impact that this was. And the CEO of the organization testified before Congress, that they paid a few million dollars in Bitcoin digital currency to the threat actor to receive a decrypter for the systems that were encrypted. What's pretty notable about this is that the threat actor group or the, the network of operators behind the incident dark side, they close up shop and they said that they did this because there's too much pressure from the US government. And a very cool clearly this was a watershed event that got a lot of attention from a lot of different people across the globe, but certainly a lot of attention from the United States government and a very notable action and result, which is a very positive outcome is that the Department of Justice recovered just over $2 million in Bitcoin digital currency that was actually paid to the threat.
So what I think this is it shows threat actors that the US government, when interested and when they have the desire to do something, they can take a lot of offensive actions against criminal operators and disrupt criminal operations to some extent. And so I think, again, this was a very positive move by the United States government, something that we're all really proud of and hopeful that we see more actions like this in the future. Next slide please.
So I also want to spend a few minutes talking about the conversations that we're having with CEOs as well as boards, and probably on a weekly basis CEOs or CFOs or board members reach out to us and ask for a lot of advice. Because again, we have a lot of first hand, real world knowledge around security incidents and a lot of times when you see a major security event the organizations that are in a similar sector to whatever company was actually impacted by that major event will reach out and say, hey, how do we mitigate the risk of something like this happening to us?
And so there's a lot of conversations that we have. And, one of the common questions that were asked by CEOs and board members is how do they assess their susceptibility to intrusions like what happened at company X, Y, or Z? They want to understand how do they assess, are they making the right investments in cyber security? Because of course they see that they're spending millions of dollars on cyber security, but they don't quite know, are they spending the right amount? How does that compare to their peers? Should they be spending more and I'm sure from their perspective, ideally, can they get smarter about their spend and can they actually spend less, but get more.
I also want to understand, especially from a board perspective, do they have the right team in place to help defend their environment and are there adequate cyber security controls in place and there's actually a lot of different ways in which we help our clients really understand the answer to these questions. Part of it could be through us assessing the maturity of their security program and their effectiveness by really mapping out what are they doing from a security perspective. And how does that really map against what is considered to be industry leading practices, but one of the most effective ways I think to test the suscepttive of intrusions is by hiring the good guys to actually attempt to break into the network and to test the defenses.
And so by, conducting what's known as Red Team exercises so hiring the good guys to attempt to hack into the organization to find misconfigurations, to find vulnerabilities, to find avenues or paths into the organization and to find ways to get access to sensitive data. That's a very effective way to understand are all the investments that are being made in cybersecurity, the right ones, and if so great, but usually what happens is we find that there's, for the most part, there are things that aren't working or things that could be done better. And so by these, conducting these right team exercises, it enables organizations just to get much better at really figuring out specifically what needs to be done to better stop attackers, to better detect attackers and to better respond to attackers depending on what the security testers are able to do.
And as companies mature their red teaming processes, we see them moving over to purple teaming, which is where they engage companies to help not only do the ethical hacking, but also help them look at what are the controls that were in place, what are the detections that in place, what was missed and how do you get that better? And one of the things that we're trying to do at Mandiant is help scale that out and help automate that so that we could help organizations do this on a very repeatable way through the Mandiant advantage platform, through our Mandiant security validation capability so that people can do this on an ongoing basis and just get better and better at defending themselves against real world attacks that we're seeing as we respond to security incidents next slide, Andrew.
Another question that we get asked from CEOs and board members all the time is this, how do we prepare for ransomware and multifaceted extortion? And, the first question and the first response that I gave certainly helps from a technical perspective, but there's a lot of other questions that I think organizations are asking or are asking us for help as to what they need to ask their management and some of the questions that we ask and that we're coaching boards to ask is how long would it take to recover business critical systems and applications if they're destroyed. And it's really fascinating to see what kind of responses management gives. Sometimes the response is I have no idea. Sometimes the response is, yeah, it might take a few hours. Sometimes the response is, it may take a few weeks or few months.
And what I challenge your organization to say, it might take a few hours, or maybe a few days to actually go through a test of figuring out what would happen if you actually lost the server. And how quickly would you be able to recover it? Because I think a lot of times people have assumptions that may not actually hold true, and one thing to keep in mind is a lot of times when threat actors break into organizations to deploy ransom or encryptors, they're hitting every single server that's out there including the DR systems if it's available to the attackers for them to be able to touch and so some of those assumptions may not actually hold true in the event of a real world situation.
It's also really important for organizations to understand who is the ultimate decision maker and paying extortion demand. Some organizations want to make the decision by committee. Some of them went to assign and appoint a single individual within the organization, perhaps the CEO to make that decision. It's also important to understand, to what extent should the board be involved in the decisioning process or should they just be informed about the decision that was made by management? Maybe there's certain dollar thresholds in which the board wants to get involved. So it's really good to figure out the answers to those questions, because again, most organizations are going to deal with some kind of extortion over the next 12 to 24 months.
And then it's also really important to understand if the organization has a company that could help specialize and deal with ransom negotiations and communications with threat actors that's not a capability that Mandiant provides, but there's other companies that are have dedicated resources and capability to help negotiate ransoms on behalf of victim organizations. So again, these are just some high level questions that were asked, and I thought it was just important to share it with the community. So you understood what are -- what's on the mind of some of the CEOs and board members out there that we're talking to. Next slide, Andrew. And I'm going to hand it over to my colleague, Nick, to cover some of the ways that found against today's threats.
Nick Bennett
Great. Thank you, Charles. Yeah. And as Charles said, I'm going to dive a little bit deeper into the victims or the defender's perspective in some of the threats that Charles already talked through. So I've been investigating serious intrusions for 15 years now. And still over the course of that time, it's still true today, the not one thing that attackers are taking advantage of to turn any old breach into an impactful breach is abusing on-premise identity providers, namely active directory.
Virtually every single significant ransomware case that you've read about in the news, maybe a few exceptions attackers took advantage of weakness in the victims' active directory environments and platforms to escalate their privileges and obtain the access that they needed to deploy ransomware encryptors at scale. And this really underscores the need for organizations to truly understand their active directory architecture and security model and proactively do some security assessments of their active directory and not to some of the validation exercises that Charles was touching on earlier, like red teams and penetration tests, but really holistic, deep dive reviews of the architecture, configurations, operational processes of the active directory environment to build up a roadmap and then implement and operate a robust secure program based on the findings of some of those assessments and those validation measures and they still play a key part of the process and I'm going to touch on that a little bit later.
What has changed pretty dramatically in the last 15 years is the rise of public cloud resources. So today, most organizations are operating in hybrid environments where they had interconnected on-premise infrastructure and cloud components. And although there was a promise that because some of these technologies came with security baked in from the start that that would allow organizations to move seamlessly to much more robust security programs and to zero trust architecture, but the reality is most organizations are very far off from implementing zero trust architecture. In fact, in a lot of cases, I think cloud has complicated that process of securing their environments. And that's true for a few different reasons.
One of those is that security and IT teams have needed to learn different, technologies that comes with different terminologies and concepts and architectures, et cetera. And then these new platforms they've been deeply integrated into organizations existing on premise environments and even integrated with other third party cloud and environments in ways that, quite frankly I don't think a lot of security teams and IT teams really understand and appreciate all of those interconnections.
So this has led to, groups like up to four, five, two, the Russian SRV that Charles talked about earlier, being able to really easily pivot back and forth between on front and cloud environments or between different cloud environments and having privilege escalation in one environment lead the privilege escalation another. And it's just created a way for creative attackers to escalate their privileges, hide from the defenders and maintain their access to compromised environments over time.
And just like the on-premise active directory technology that we were talking about, a significant part of these attacks is abusing the identity of the cloud platforms. So again, it underscores need for organizations to truly understand their cloud architecture and security models, especially when it comes to the integration of their on-premise infrastructure or with third parties. And then to proactively do those security assessments, again, not just the validation exercises, but holistic, deep dive assessments that are resulting in roadmaps and planes to heart in the environment, and then utilize those to practically build towards things like a zero trust architecture model the future.
And finally, when we -- what we have seen with some of the biggest impacts to organizations for breaches, especially in the case of ransomware attack is where the cyber threats are intersecting with the physical world. And I think Charles talked about a specific case study there as well. In other words where information technology, or IT is connecting with operational technology or OT. So things like the computing infrastructure for manufacturing or healthcare or energy or other critical infrastructure, and historically segregating those IT and OT environments has absolutely been a priority for organizations. But what we found is once there's ransomware event in an IT environment, even if the org had taken steps to separate those environments, it ends up impacting the OT environment. And that's usually for at least one of a couple of reasons.
One is just competence. So you may think that there's segmentation, but how much are you going to be willing to bet on that when you're in a situation when your entire IT environment has just fallen to ransomware and that uncertainty and lack of confidence has caused some victims to just proactively shut down their OT environment as a precaution, because quite frankly, the impact of a ransomware event in an environment like that will often be much greater and much more impactful than proactively shutting something down and bringing it back up later.
And then the second piece is just practically, even when there is segmentation, sometimes IT assets are just still needed to properly operate their OT environments. So this idea of segmenting IT and OT absolutely nothing new, but the prevalence of ransomware attacks has made what used to be for some organizations, more of a theoretical risk, very, very real. So what, in some cases was more of a check the box control for organizations in the past with their IT and OT environments, keeping them SEP separated, really organizations need to down in this.
There needs to be human driven, proactive testing to build confidence in the controls that separate those environments. And there also needs to be proactive, practicing of operating those environments in the event of IT environment shutdown from a destructive attack like ransomware. And the things I talked about so far and kind of fall into the bucket of security architecture. So controls that will prevent attackers from gaining access that they need. Cyber defense, conversely, is focused on detecting and investigating and responding to attacker activity.
Again, this is an area where we've seen organizations repeatedly fail and in similar ways. And it's not an issue where organizations are lacking detection tool sets or detection products. Almost every single successful breach that we investigate, some security tool and detected something about what the attacker did somewhere along the kill chain of attacker activity. It's more of a problem of raising, identifying those things that are important and finding that needle in the haystack. And it's a problem that really can feel intractable at times, just based on how complicated environments are, the skills that analysts need to perform this analysis and the knowledge that they may need to do so. And I actually do think it's somewhat impossible for most organizations to run an effective cyber defense program on their own and completely by themselves. And that has historically led to a lot of organizations outsourcing significant portions of their security program to MSSPs who have just failed to deliver on the promises or organizations failing to hire and retain the right talent.
And when they do insource things, just being so overwhelmed by the amount of information and things that they need to do to combat their security program and they fail to be effective. So I do think it's possible for organizations to overcome those challenges. And one of the concepts I like to use is this concept of accelerators. And what I mean by accelerators are solutions that organizations can use to make them more effective and efficient in different areas to tackle those challenges that they run into with cyber defense. So outsourcing is a great example of this but to use outsourcing effectively, organizations and that have done it well are thinking strategically. So first of all, determining what are those things that outsiders are going to be more effective at doing than your staff and those things might include knowledge of the threat landscape, what attackers are doing, attacker intelligence etcetera.
It also might include specialized skill sets. So things like malware analysis or intelligence gathering, where building resources human resources with those skillsets is very expensive. And when you do that, it's very hard to keep those resources happy and well-practiced in most organizations, but also conversely doesn't make sense to outsource your entire detection and hunting capabilities, etcetera, because your in-house team and your employees will have advantage in certain areas.
They should have a better knowledge of your environment to identify anomalies. They should be much better positioned to take lessons, to learn and apply them into your environment. And a few other areas where your in-house team is going to have a distinct advantage. So in order to help organizations that we've specifically designed some of our solutions at Mandiant to make it so organizations can more seamlessly, you know, outsource functions strategically to us and to do so for things that we're best at. So things like manage defense offering, where we use our knowledge of attackers to find real threats environments, or may need advantage we're providing intelligence or really expertise on demand. When we allow customers to consume microservices for things like malware analysis and forensics and Intel gathering so that our customers can have those functions as part of their program, without the challenge have been training and retaining talent.
Another great example of an accelerator in his automation. So human capital is incredibly expensive. And the more that you make humans responsible for those mundane repeatable tasks, the harder it is to keep those people happy and to retain them. So finding ways to automate those tasks is just critical to making the cyberdefo defense program efficient and effective. Again, you know, we've designed some of our solutions specifically to help organizations tackle that.
So some of the components of manual advantage like automated defense, which automates analysis for detection, tool sets and security validation, which automates validation, those are things that, you know, what specifically design and invested in to allow our customers to leverage those for that purpose. And finally, the, the last accelerated touch on is intelligence. Again, this just helps organizations solve the problem of having limited resources, especially when it comes to human capital. Now, organizations that you use threat intelligence, well they're leveraging it to prioritize initiative, to focus on things that matter and just make the more efficient use of their resources. You can go to the next slide.
There you go. And although, so I just emphasize some specific areas where I think it's to go beyond validation exercises and do really deep dive technical assessments and road mapping for critical technologies like active directory and cloud environments. A validation is still a very important part of the security program in two areas where it's absolutely critical are allowing organizations to measure the effectiveness of changes to their security program over time and therefore to demonstrate return on investment but number two, ensuring resiliency of the security program over time.
Even if an organization did everything I mentioned earlier and more, and built the truly robust security program, it's unavoidable, that security programs are going to lapse over time controls our weakened operational pro processes may lapse, new vulnerabilities are discovered, et cetera. So a robust validation program helps organizations identify those deviations over time, so that organize can continually course correct.
And those validation efforts should be focused on both the ability to detect and respond to attack activity as well as their preventative controls. And when it comes to validation, organizations can have such a large landscape of technologies to protect as part of their security program and really just a, a sea of endless potential tasks that they could focus their validation efforts on. So similar to the challenges in cyber defense organizations that do this effectively are leveraging intelligence and knowledge of the threat landscape to maximize the effectiveness of the resources that they have.
So that intelligence led approach that that may end impact what the target and human driven validation exercises, what attacker techniques are most relevant to simulated environments, what security tooling controls to focus on, et cetera. And finally, there's always going to be a place for the human driven validation exercises, like penetration testing and red teaming and purple team, and where human beings are trying to break into things and trying to break controls.
So there there's really not a, a viable replacement for that ingenuity and expertise when you're, when you have subject matter experts doing those sort of tasks, but that human capital is extremely expensive. So in order to have a robust validation program, that human capital has to be augmented with automation and tooling to operationalize that validation at scale. That's exactly why we focused on the Mandiant security validation solution in manage and advantage to provide a mechanism for our customers to scale that validation in their environment and do it in a way that automatically is integrating our attacker intelligence. You can go to the next slide.
So assuming an organization has done everything that I've said, and more to this point, you know, built the robust security program, ensured resiliency over time with the robust validation program, you still need to prepare for the event you are compromised. This has been a part of the ethos of Mandiant since I started here 15 years ago, that breaches are inevitable. We think that impactful breaches are preventable. It can be mitigated, but breaches are inevitable for most organizations. So that means preparing for the event that you are compromised, and that preparation needs to go above and beyond the developing plans and documenting them, but also actually practicing them.
Now, Charles touched on some of the strategic questions and communication issues that organizations should be preparing for, but there's also very tactical pieces that are critically important. And I think a great example was the, the rise prevalence of attackers leveraging ransomware and Charles touched on this a little bit earlier. So the, the need for planning and testing for environment recovery and resiliency because of this rise of ransomware is probably the highest it's ever been for most organizations. And if you look at victims of ransoware, it's specifically, you just look at the subset of those victims, where the attacker was most successful in deploying the ransomware encryptors across the entire environment, bring it down within that subset.
The number one thing that differentiated impact of business between those victims was their ability to recover systems from backup. So that means organizations need to be prepared, recover systems at scale from backup. And it's not just rebuilding those individual servers and works stationations, but it's things like completely rebuilding and retituting an active directory environment or getting business applications back operational. And the organizations that have been most effective have been the ones that have thought through those challenges proactively before or breached have developed and documented plans, but also the ones that track this, those plans, you don't want to be doing some of these tasks that can be very technically challenging for the first time when millions of dollars in operational damages are in the line and your entire workforce has, has grounded through halt.
You can go to the next slide. And I think we're going to do Q&A in a minute here, but before we do that, I just wanted to summarize some of the key takeaways from today. So first of all, Charles walked through some of the latest attacks we have been seeing in the wild, and it really just underscores how attackers have continued to adapt and be very aggressive about achieving their goals. There's been a common theme of attackers abusing active directory, and now cloud identity providers to accomplish their goals.
And therefore there's a significant need for organizations to prioritize assessing and hardening and strategizing about those technologies and utilizing that as the stepping stone to position themselves for the promise of things like zero trust architecture in the future, on the cyber defense side, some of the problems organizations face can just feel intractable but an effective program really is achievable and we've had organizations achieve it by leveraging accelerators like strategic outsourcing automation and threat intelligence.
And we position a number of our solutions, help organizations leverage those easily next to ensure the resiliency of security programs over time, a robust validation program is needed with not just human driven exercises, but automation and tooling as part of that, to allow validation at scale. And finally, even if you do everything right you still need to assume that your organization is going to be compromised and planned for that. And importantly also proactively be practicing the things that you'll need to do during a breach response.
So Andrew I'll you can go to the next and I'll pass it back to you.
Question-and-Answer Session
Q - Andrew Huang
Great. So right now we have two questions. The first is for Charles, based on everything you've said, it seems like ransomware is not going away anytime soon. So when a company has been breached and is asked for a ransom, can you talk about some of the considerations that companies weighing in the decision to pay or not pay? And do you recommend that companies pay or don't pay?
Charles Carmakal
Yeah look, it's a great question. And we always recommend that our clients have a robust conversation around the pros and about paying or not paying and unfortunately, it's almost never a clear answer to pay or not to pay. And I'll tell you a lot of times before an event, people make the assumption that they wouldn't pay, because look, we all grew up learning that you'd never pay criminals, because it's going to encourage more bad behavior and you'd never given to terrorist demands, but when you're actually dealing with the real world situation you really have to think about should you pay or should you not pay? And some of the questions and the criteria that we tend to go through are, is how quickly can you actually recover your data and your systems and get back online through your own backup and restoration processes and how resilient is your network and environment to be able to get back online on your own.
And is that timing, is that acceptable to the business or do you, do you need to find ways to accelerate the, the ability to recover? You also want to understand did the threat actor actually steal data from the organization and are you compelled to pay a threat actor to minimize the likelihood of them publishing that stolen data on the internet. And there could be a variety of reasons why you don't want that, that data to be published on the internet, perhaps the attacker stole, you know, protected health information. And so you feel that it's, or the organization feels it's their obligation to do everything that possibly can to minimize the likelihood of that information showing up on the internet. You also want to understand who are you paying? Is the actor sanctioned by the United States department of treasury? If it, if they are then it's illegal to pay.
Now, there's certainly some protocols that you could follow to manage the risks associated with that. And to get clearance to do it if you need to, but you kind of need to think about that. You want to understand what is the actual impact of not paying. And so, when you think about hospitals that are taken offline or cities where emergency services are taken offline, you literally have lives on the line that could potentially be impact and so there's a lot of different criteria that you go through.
Look, I'll tell you many of our clients, they pay not because they have bad backups. In fact, a lot of our clients that actually, you know, that pay have really good backups, but the problem is a lot of times they're looking to accelerate their lady to recover their systems.
And so they want to be able to do things in parallel. So they want to be able to restore through their backup restoration processes, but they want to also be able to leverage a, a decrytor to help recover much quicker or perhaps they're paying because they you know, they, they don't want the data to be published on the internet or perhaps they're paying just because they feel that they're going to have some peace of mind. So again, lots of discussions to go through. It's usually a very robust conversation and nobody ever walks out the discussion feeling like, this is a very clear, yes, we should pay situation. They, do that because they feel like that's unfortunately the only option available. And sometimes, we find that there's very clear. Yeah, no don't pay outcomes just because of the variables that we're all dealing with.
Andrew Huang
Thank you, Charles. And then one for Nick validation seems like a great idea. What is the most common pushback you're getting from customers who decide to pass? And the follow up is aren't company boards interested in the concept of validation.
Nick Bennett
Yeah, so I think when it comes to company boards, there has certainly, I think there's been an education process about the concept of validation and why it's important. I think maybe historically boards have maybe not kind of clearly delineated their understanding of the different types of security assessments and ways that organizations are understanding weaknesses in their environment and potential issues in their environment. And I think we've gone through a process of when we talk to boards and executives about this is sort of educating them in terms of where some of the sort of assessments I talked about where they're just kind of deep dive, building roadmaps around security architecture what the value of those assessments are versus some of the more traditional validation exercises and where those kind of begin where those begin, where they end, what they should be using one form and what they should be using the other for.
So there's definitely been an education process, I think over the last few years about helping boards understand that. But it's, one that I think is starting to pay dividends and we're starting to get a lot more traction in terms of just people's understanding of what the different challenge that they face and the different tools that they have there at their exposure to measure the effectiveness of their program and find weaknesses in their program and how validation fits into that.
Charles Carmakal
Yeah. And from my perspective, I certainly agree there's -- I think there's some education and awareness that needs to happen. And by the way, I think a lot of times when we educate organizations, they get pretty excited by the concept because it's relatively, it's a newer way of thinking about some of the common cybersecurity trends and threats. But, one of the other things that I see some organizations pushing on when they do push back is and it may be some somewhat surprising to hear, but I have some clients that say, hey, we know we have a lot of problems and we know we have to fix a lot of different things. And so they kind of want to focus some organizations want to try to fix some of the things that they know have to be fixed right now, and that they want to build validation program later on.
So they -- while they're interested in it, sometimes they feel that they need to defer it to maybe a few quarters from now, or maybe a year or two years from now, because they know there are other things that they need to immediately address. And there's obviously limitations in terms of time and resourcing and funding to be able to address some of the known issues that they have.
Nick Bennett
And maybe to add a little bit to that response, I think one of the things also that we've sort of been educating people on is validate and I mentioned it kind of during the presentation, but the validation is not just about ensuring that resiliency, but it can also be an incredible tool for showing return on investment and showing that change in the security program over time. So even organizations that are kind of in the beginning of a large roadmap by implementing a validation program, more the beginning of that, they're able to really demonstrate to stakeholders the sort of changes they're making and the sort of impact that it's having.
Andrew Huang
Great. I think that's all the questions we have. So thank you Charles. Thank you, Nick, for your presentation and our next threat briefing will be in November. In October, we have our analyst event in CDS. So thank you all for your time.
Nick Bennett
Excellent. Thanks so much.