Mandiant Victim Notification Program

Knowing about a potential cyberattack early can be the difference between a minor incident and a significant crisis. At Mandiant, a part of Google Cloud, we are committed to proactively protecting the global community through our Victim Notification Program. This initiative leverages our unparalleled threat intelligence and incident response expertise to directly inform organizations when we identify a potential compromise, empowering them to take swift action.

Mandiant’s mission is to make organizations secure against cyber threats and confident in their readiness, whether they are a customer or not. We believe that sharing timely and actionable threat intelligence is a crucial step in achieving this goal. Our Victim Notification Program embodies this commitment by providing critical information to potential victims, free of charge.

As part of Google Cloud, Mandiant's Victim Notification Program is strengthened by the vast resources and intelligence of the Google Threat Intelligence Group. This powerful combination allows us to identify and notify potential victims with even greater accuracy and speed. Mandiant has performed over 10,000 notifications since the program's inception, helping countless organizations mitigate potential cyber threats. 

If you have received a notification from Mandiant about a possible breach, it means our threat intelligence indicates your organization may have been compromised. Our team undertakes this work on a best effort basis to notify the community as early as possible, giving you the best chance to remediate a problem before it gets worse.

Verify the communication: To ensure the notification is legitimate, you can contact us at VN@mandiant.com.

Validate the threat intelligence: Review the shared information and validate our findings.

Consider next steps: Depending on the intelligence, remediation may involve your regular IT security workflows. In some cases, the information may suggest a larger compromise requiring a forensic investigation.

We are available to meet and speak with you, regardless of your status as a Mandiant client, to help you understand our findings and discuss recommended actions tailored to your situation.

Our notification details originate from a variety of sources, leveraging the extensive capabilities of the Google Threat Intelligence Group, Mandiant Incident Response, and Mandiant Managed Defense. Our threat intelligence collection involves:

• Monitoring attacker infrastructure: Tracking characteristics of attacker infrastructure and searching for established malicious patterns across networks.
• Analyzing malicious patterns: Monitoring the evolution of TTPs (tactics, techniques, and procedures) for malware families associated with threat actor groups.
• Hacking forums: Our analysts monitor dark web forums where cyber criminals advertise the sale of victim data or access to victim systems. This includes stolen customer databases, user account lists, and sensitive intellectual property, as well as the sale of direct access like web shells or compromised credentials by initial access brokers.
• Leveraging investigation findings: Through our work on over a thousand incident response engagements per year, we sometimes identify information indicating that multiple organizations were affected by an attack. We proactively reach out to these other victims with indicators to help them investigate quickly. This includes instances of compromised account credentials used for phishing, internal reconnaissance, or gaining access to public portals.
• Industry partnerships: We collaborate with software and hardware vendors, often through penetration testing and incident response work. These partnerships have led to the patching of CVEs and the sharing of detections and scanning tools to identify compromises related to supply chain and zero-day attacks. Examples include our work with Ivanti, Barracuda, Citrix, and many others.
• Financial institution collaboration: We work with financial institutions to alert them to the exposure of credit card information leaked on cybercrime forums, enabling them to mitigate the risk of fraud.
• Government and regional CERT partnerships: We collaborate closely with government agencies in the US, as well as regional CERTs globally. These partnerships are vital for ensuring victim notifications reach affected organizations through the most appropriate and direct channels worldwide.

The Mandiant Victim Notification Program is a testament to our commitment to protecting the global community. Similar to how Google Chrome includes password breach notifications, Google Threat Intelligence and Mandiant combine to proactively share critical threat intelligence with compromised organizations, empowering them to defend themselves against cyber threats and contributing to a safer digital world for everyone. Our Victim Notification initiative demonstrates the powerful synergy between Mandiant's expertise and Google Cloud's resources, allowing us to provide unparalleled threat intelligence and support.

We offer dark web monitoring to keep tabs on information specific to your organization through the Digital Threat Monitoring module in the Google Threat Intelligence Platform. Dedicated threat intelligence offerings customized to your needs are available by reaching out to your Google Cloud representative. Our Crisis Communications team has extensive experience dealing with incident messaging and can help guide and craft your strategy to overcome a stressful situation.

If you need urgent assistance with an incident, contact our Incident Response team to discuss investigation options. An overview of Mandiant Consulting can be found on our website as well as a list of all our services.

If you have received notification from Mandiant about a possible breach and wish to verify the authenticity or ask questions, please reach out to: VN@mandiant.com.