We’ve expanded our partnership with Mandiant, now part of Google Cloud, to help our users operationalize and prioritize threat intelligence. READ THE PRESS RELEASE >

Better Together: SnapAttack & Mandiant Powering the Continuous Purple Team

Are we protected? The most pressing item on a CISO’s mind; the “what’s keeping them up at night” question. Whenever a new zero-day is released, a breach is announced, or a critical piece of malware is discovered, it is the same question, “are we protected?”

Let’s imagine a world where a security team was able to quickly find actionable data about an adversary.

  • Relevant information would include a description of the actor, aliases, location, motivation, observed activity, and targeted industries and regions for quick understanding.
  • It would include indicators of compromise (IOCs) for blocking.
  • It would include tactics, techniques, and procedures (TTPs) associated with a particular attack including associated malware and exploited vulnerabilities for risk assessment and coverage analyses.
  • It would include emulated and captured attack data for better visualization and understanding of TTPs.
  • It would include behavioral analytics for hunting and a packaged attack simulation for controls validation.

All of this is needed to identify, detect, and validate to answer the question, “Are we protected?”

Organizations struggle to curate and operationalize this data as it crosses over team responsibilities and tool capabilities. This requires cyber threat intelligence (CTI) analysts to research and report on adversaries. Red teams and pen testers to identify weak points in the organization using real-world attacks paths. And blue teams and incident responders ready to improve defenses, detections, and support response activities. All these processes must be performed in concert so the data can be correlated, reported, and actioned upon. Integrating offensive and defensive capabilities can be an overwhelming activity or at least reserved to the elite few who have mature, well-funded, sophisticated security operations.


Relentless Focus on Proactive Security

With SnapAttack and Mandiant, continuous purple teaming is not an exercise in imagination, but a reality. Continuous purple teaming is the convergence of threat-informed defense and collective defense where both red data (attacks) and blue data (detection analytics), and the people generating that data coexist and inform one another. Mandiant Advantage Threat Intelligence provides context that can be immediately actioned by red teams and blue teams alike. While red teams capture and memorialize attacks as data using SnapAttack’s emulated threat library and Mandiant Security Validation to simulate attack behaviors; blue teams can then define no-code, high-confidence behavioral detections based directly off the emulation data. And both teams’ efforts can be immediately validated against each other to determine an organization’s coverage.

The combination of Mandiant Advantage Threat IntelligenceMandiant Security Validation, and SnapAttack streamlines the process for validating security controls and remediating detection gaps achieving proactive, threat-informed defense. Joint customers can immediately act on curated intelligence and deploy SnapAttack’s vendor-agnostic, validated analytics for proactive hunting and detection. By integrating Mandiant Security Validation actions in SnapAttack, users can track their threat coverage or create high-confidence, high-quality threat detection and hunt packages in response to gaps exposed by continuous Security Validation. These efforts no longer require multiple teams, but a single multi-disciplinary team to enable proactive, threat-informed security.

Together we can help customers enhance their readiness and enable them to answer the question “are we protected?” consistently, quickly, and confidently more than ever before – SnapAttack and Mandiant, better together.

Authors: Clayton Barlow-Wilcox & Melissa K. Smith