Ransomware Defense Validation (RDV), available for both Mandiant Advantage Security Validation (MA-SV) and Mandiant Security Validation (MSV), delivers a “low touch," safe, and continuous test of whether your security controls can prevent the latest ransomware. It leverages Mandiant’s incident response experience and world-class threat intelligence to provide visibility into your security controls’ ability to alert on or block prevalent ransomware.
Prerequisites
Before you start using RDV, you need to meet the following criteria:
- Actors that are used to run RDV content must be on release 4.12.0.0 or later
- MSV only: The Director must be on release 4.12.0.0 or later
- Have a content pack license and obtain the latest RDV content pack from Content Pack Downloads
- Have exclusions established so that the appropriate files are added to your allow list:
RDV Benefits
RDV for Security Validation allows you to run Jobs with RDV content and present the results of those Jobs in Report Builder using special panels. Once you've met the prerequisites, you gain access to the following features:
- RDV content: Repurposes actual ransomware and controls it so it can be executed safely. Safely leveraging actual ransomware from likely and prevalent attackers enables authentic and accurate testing of your endpoint security controls in your actual production environment.
- RDV panels in Report Builder: Panels in Report Builder that represent summaries and results of any RDV Jobs in a granular fashion. These can also present links to Threat Actors and further details about Ransomware campaigns (MA-SV only).
See Use Security Validation for Ransomware Defense Validation for more information.
Security Validation provides a platform for evaluating your security controls in the face of new ransomware. The incident response experience and threat intelligence of Mandiant can provide insight of your security controls' ability to alert or block prevalent ransomware attacks.
To verify and substantiate your security measures against ransomware, you can do the following:
- Select and Run Actions from the Action Library that cover Ransomware Defense Validation (RDV) workflows.
- Generate a Ransomware Validation Report.
Ransomware Defense Validation system tag.Video Overview
Run RDV Actions
- Go to Library > Actions to open the respective Actions Library page.
- On the Actions Library page, add
Ransomware Defense Validationas a tag to filter on the RDV content. - Get a list of ransomware Actions available in the library.
Action Library with Ransomware Defense Validation-tagged Content
- Select the Action that you want to run and then click
Run. - Select Actors.
- For this example, we'll use a Windows Actor for the Endpoint Actor.
- If needed for your specific Actor, you can change the Run as User entry, but it is not required.
Select Actors
- Click Run Now or Schedule. When you click Run Now or at the Scheduled time, a Job is created and the Action runs. If you clicked Run Now, the Job Results page shows the status and results when the Job completes.
Example of a Completed Job for an RDV Action
- Repeat the preceding steps if you want to run more ransomware validation Actions.
Run.
To learn more about security content and Jobs, refer to Security Content & Jobs.
Create a Ransomware Validation Report
After checking your environment for ransomware exposure using the provided Actions, you can use these high-level steps that guide you to the ransomware-specific content widgets that you can add to a report. For more guidance on preparing comprehensive reports, see Security Validation Reports.
- Go to Analyze > Reports.
- Click Create New Report.
- Optional: Update the time range and add rules, then click Continue.
- Add one or both of the Ransomware components (Ransomware Results and Ransomware Summary), which are listed under the Layout/Structure section of the Panel Library. The following screenshot shows an example of the Ransomware Results and Ransomware Summary content widgets after they're added to a report. Two ransomware families, HIVELOCKER and LOCKBIT 2.0, are selected.
