Cyber-security company Mandiant Corp won plaudits from its peers and made
front-page news around the world this week when it published a report
that purportedly traced a series of cyber-attacks on U.S. companies to a
Shanghai-based unit of the Chinese army.
But some hackers have turned
the tables on the cyber-expert by creating malicious versions of its
74-page report that were infected with computer viruses. They emailed
the tainted reports to their victims this week in a bid to wreak havoc
under Mandiant's name.
Though the episode was embarrassing, the
company said its systems were not breached. "Mandiant has not been
compromised," the company said on its corporate blog.
Mandiant was
founded in 2004 by Kevin Mandia, a former U.S. Air Force
cyber-forensics investigator who co-authored an influential textbook on
the subject. The company made its name by automating processes used to
investigate computer breaches.
Mandiant was largely unknown
outside the computer security industry until Monday, when it fingered
the People's Liberation Army's Shanghai-based Unit 61398 as the most
likely driving force behind a Chinese hacking group known as APT1.
China's
Defense Ministry issued a flat denial of the accusations and called
them "unprofessional." But Mandiant won kudos for the unprecedented
level of detail in its report, including the location of a building in
Shanghai's Pudong financial hub from which Mandiant said the unit had
stolen "hundreds of terabytes of data from at least 141 organizations
across a diverse set of industries beginning as early as 2006."
Other
security companies that have published reports on cyberattacks have
shied away from so clearly identifying their perpetrators.
"It was
a wonderful report," said Michael Hayden, a former director of the CIA
and National Security Agency, who is now with the Chertoff Group.
"Everybody is saying 'it's about time.'"
The report did not
identify the victims of APT1 or Mandiant's customers, though the company
says it has worked for about 40 percent of the Fortune 500.
When
asked why he had decided to go public with this report, Mandia, 42, told
Reuters, "There is mounting frustration in the private sector.
Tolerance is shrinking. We also have a bunch of employees here who are
ex-military who sense that frustration and said, 'Let's push this out.'"
The
report comes ahead of next week's annual RSA Conference on security in
San Francisco, where Mandiant will showcase its products to help
companies identify security breaches.
IPO in the cards?
Mandiant
says it begins investigations by installing software it has developed
that searches for infections by looking for evidence hackers leave
behind. It refers to those digital signatures as Indicators of
Compromise, or IOCs.
The proprietary database of those indicators
makes up a critical part of the "special sauce" that automates the
investigation process and, Mandiant says, enables investigators to root
out attackers faster than rivals.
The company has thousands of IOCs in its database, which it is constantly expanding.
"We
tend not to take the small jobs. We take the big ones - the ones you
would love to read about in the paper, but we keep them out of the
paper," said Mandiant's chief security officer, Richard Bejtlich.
Some
investors have speculated that Mandiant is preparing for an initial
public offering in the next year or so. On Friday, it named Mel Wesley
to the post of chief financial officer. Wesley was CFO of publicly held
OPNET, which was sold to Riverbed Technology in December for about $1
billion.
Mandia, who raised $70 million by selling stock to
Silicon Valley venture capital firm Kleiner Perkins Caufield & Byers
and One Equity Partners, the private investment arm of JPMorgan Chase
& Co, said he is in no rush to go public. "I do not believe we need
more capital," he said.
Ted Schlein, a partner with Kleiner
Perkins, declined to say if an IPO was in the works, but told Reuters:
"They are certainly of the size and they certainly have the operating
metrics to be a public company."
Mandia said revenue soared 60
percent last year to about $100 million, and he expects it to climb at
about the same clip this year on rising demand for Web-based services
that help businesses identify when they have been attacked.
The
New York Times and News Corp's Wall Street Journal recently disclosed
that they hired Mandiant to investigate cyberattacks. The company has
done similar work for Thomson Reuters Corp, parent of Reuters News,
according to two sources with knowledge of the matter. A spokesman for
Thomson Reuters declined to confirm it.
Premium fees
Mandiant
declined to discuss its fees, though analysts say they are among the
highest in an industry where rivals include much bigger companies such
as Accenture, AT&T Inc, Deloitte, PwC and Verizon Communications
Inc, which offer cyber-forensics alongside other services.
Mandiant
consultants often bill at rates of $450 or more an hour, said a person
familiar with the company. Teams of consultants investigate breaches for
weeks and sometimes several months, typically ringing up bills of
between $250,000 and $1 million.
John Pescatore, director of
emerging security trends for the SANS Institute, says Mandiant can
charge a premium partly because it gets strong recommendations from the
government and other customers.
There is often a waiting list for its services.
"It's
supply and demand. You call Mandiant and Mandiant tells you when they
can show up," said the person familiar with the company, who was not
authorized to publicly discuss its finances.
Mandiant also
competes against CrowdStrike and Cylance, which are run by the founders
of a company known as Foundstone, a pioneer in cyber-forensics that had
hired Mandia away from the military. He left Foundstone in 2004 to start
Mandiant.
© Thomson Reuters 2013