Wednesday, February 3, 2010

M-trends reaction

**FTC disclaimer (re: middle finger) I'm not affiliated with Mandiant. I know folks at Mandiant only by name recognition and perhaps a few blog comment exchanges, or mailing list/forums posts. I, like you, have read the M-trends report. I do not have access to anything other than M-trends, a few M-unition blog posts from Mandiant and random interweb babble on the subject. I would love to have a discussion with the folks over at Mandiant but I do not see that happening any time soon.
FTC disclaimer**

Now that the obligatory disclaimer is out of the way..When reports like this come out it's interesting what happens. The reactions range all over the map. We, the good guys, are too busy sizing each other up, calling each other ignorant, pretending to know what we don't and holding on too tight to really discuss the issues. What I find most interesting is how apparently everyone is an APT expert all of a sudden, with 15 years of experience battling them, and yet for all of this experience and worldly knowledge, none of it has been shared beyond the contents of this report. Sure, it's discussed privately, in secrecy and behind closed doors but there is an entire industry that plays a part in this, and I'd estimate that perhaps 10% of it knows what's going on.

I looked at the M-trends report and thought wow this is a good explanation of what happens and how. This is good information for folks up the ladder to have. This report is what security folks have been talking about for years, what we're all actually so paranoid about. Mandiant does a great job of presenting the scope of the issue and provide a good explanation. However, there is little to no information at the tactical level and no information related to actually countering the APT in an organization. I understand's a report and they don't want the Chinese (oh don't act so surprised) to know just how 'on to them' the good guys really are. Mandiant also wants to continue to make money doing consulting work and selling premium services such as "counter-APT" investigations and what not. I understand this and do not begrudge them. They apparently do a great job and I'm sure their services are well worth it.

When vague reports like this get released, very few people attempt to validate the findings. Even fewer have the data to do so. As it so happens I've got a bit of data that's APT related. Well, maybe more than a bit and in short order will be sharing some of my own findings. Counter-APT operations are not simply after the fact. The reason they seem to be solely after the fact is due to the cost of defending an enterprise, the lack of awareness and poor governance in organizations. I do not want to make an APT "splash". I do want to unveil a bit of the mystery behind the Advanced and Persistent part of the APT. As I've said before, they are human, they are fallible, they are an anomaly, they are more than their malware, and they can be detected.


Richard Bejtlich said...

Hi Greg,

Good comments -- I've talked to some Mandiant people and we can expect to see probably 2 more reports with ideas on how to counter these guys. Personally I do NOT want to see any tactical details released, for the reasons you mentioned. Once published the tactical stuff is useless.

hogfly said...

Not sure if you meant this comment for someone else but I'm not Greg. Assuming you meant this for me, I have to ask..If publishing tactical information makes it useless, what use is it if not shared? In all honesty, and in your opinion, in a global economy where crimes are global, laws are local and we are in already in a new type of war, is this information privileged only? Is it only for certain people to share, to their own benefit? I'm not a member of the boys club, don't know the people or the handshake.

Or is sharing this information perhaps exactly what our industry has lacked for 30 years?

If the enemy is as advanced as we know them to be, then they have already adapted and are always adapting barring complacency with rates of success, of which the Chinese are not. Countering them is truly a matter of best practices, skilled employees and money.

Richard Bejtlich said...

Woops, looks like you are not who I (and several others) thought you were. :) That's ok though.

The information is shared, but in closed communities with vetted participants. Publishing information to anyone means bad guys get their hands on it much faster.

hogfly said...

I'd be happy to introduce myself to you and whomever the "others" are if you are so inclined. Curious to know which Greg you all thought I was, could be interesting...

Of course the information is shared in closed communities. That's the way it's always been done and yet more questions..has the industry truly solved anything since its inception? Have you noticed that the information fails to make its way out of these vetted circles in a timely fashion? We have failed to study our own history and repeat the same mistakes over and over.

Anonymous said...

The tactics use to find APT is in reality no different then what has already been published to find you typical/advanced malware. There is really no magic here; no one has invented an “Easy” button which can root out APT. The only difference between these tactics is how they are applied. These “close door communities” are here to share intelligence which I pray never makes it out to the public because it would immediately become useless. With that said, unfortunately if you are not in the know you do have a slight disadvantage; however I would argue that if you had a mature security shop you would not need to rely on this intelligence (that is any change to your environment would be considered an incident and investigated).