No Malware, No Compromise

While conducting incident response work, Mandiant encounters security teams and executives who seem to focus on malware as the defining feature of a compromise. These groups think that the scope of an incident depends on knowing where the intruder installed malware. Knowing where malware was used, and how it was used, is indeed important for effective incident response. Unfortunately, knowledge of malware, however complete, is only half the picture.