Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days

Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report.

In the twelve days that followed publication on the evening of Monday the 18th, I've been very pleased by the amount of constructive commentary and related research published online.

In this post I'd like to list those contributions that I believe merit attention, in the event you missed them the first time around.

These sorts of posts are examples of what the security community can do to advance our collective capability to counter digital threats.

Please note I avoided mass media accounts, interviews with Mandiant team members, and most general commentary.

They are listed in no particular order.

1. Seth Hall (Bro): Watching for the APT1 Intelligence
2. Jason Wood (SecureIdeas): Reading the Mandiant APT1 Report
3. Chris Sanders: Making the Mandiant APT1 Report Actionable
4. Symantec: APT1: Q&A on Attacks by the Comment Crew
5. Tekdefense (NoVA Infosec): MASTIFF Analysis of APT1
6. Chort Row (@chort0): Analyzing APT1 with Cuckoobox, Volatility, and Yara
7. Ron Gula (Tenable): We have Microsoft Tuesday, so how long until we have Indicator Wednesday?
8. OpenDNS Umbrella Labs:An intimate look at APT1, China’s Cyber-Espionage Threat
9. Chris Lew (Mandiant): Chinese Advanced Persistent Threats: Corporate Cyber Espionage Processes and Organizations (BSidesSF, slides not online yet)
10. Adam Segal: Hacking back, signaling, and state-society relations
11. Snorby Labs: APT Intelligence Update
12. Wendy Nather: Exercises left to the reader
13. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion for Splunk
14. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA
15. Kevin Wilcox: NSM With Bro-IDS Part 5: In-house Modules to Leverage Outside Threat Intelligence
16. Cyb3rsleuth: Chinese Threat Actor Part 5
17. David Bianco: The Pyramid of Pain
18. Wesley McGrew: Mapping of Mandiant APT1 malware names to available samples
19. Russ McRee: Toolsmith: Redline, APT1, and you – we’re all owned
20. Jaime Blasco ( AlienVault Labs): Yara rules for APT1/Comment Crew malware arsenal
21. Brandon Dixon: Mandiant APT2 Report Lure
22. Seculert: Spear-Phishing with Mandiant APT Report
23. PhishMe: How PhishMe addresses the top attack method cited in Mandiant’s APT1 report
24. Rich Mogull (Securosis): Why China's Hacking is Different
25. China Digital Times: Netizens Gather Further Evidence of PLA Hacking

M-Unition (Mandiant) published Netizen Research Bolsters APT1 Attribution.

I'd also like to cite Verizon for their comments and mention of IOCExtractor and Symantec for publishing their indicators via Pastebin after I asked about it.

Thank you to those who took the time to share what you found when analyzing related APT1 data, or when showing how to use APT1 indicators to do detection and response.

Tweet

Read More

Mandiant Webinar Wednesday; Help Us Break a Record!

I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011. And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011.

Register now and help Kris and me beat the attendee count from last month's record-setting Webinar.

If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh.

Tweet

Read More

Check Out MANDIANT Job Postings

If you visit www.mandiant.com/hireme you'll notice MANDIANT is looking to hire a ton of people over the next few weeks and months. We have openings all over the company, including my MCIRT business line. Basically if you're the go-to person in your organization for coding, doing, or supporting incident detection and response tools and/or techniques, you will probably find an interesting job here!



The easiest way to start the process is to pick a role and submit your resume. Thank you for your consideration.



Tweet

Read More

Bejtlich Joining MANDIANT as CSO and Security Services Architect

In June 2007 I posted that I was joining General Electric as Director of Incident Response. Since then I helped build and lead GE-CIRT from an "army of one" into a team of 40 analysts. It was an honor and a privilege to work with my team, but today I am announcing that I've accepted a new challenge.

Effective 1 April I will be Chief Security Officer and Security Services Architect for MANDIANT, where I will build teams, tools, and capabilities to provide managed detection and response services. You can read the press release at the MANDIANT Web site or Businesswire if you're so inclined, as well as a MANDIANT blog post.

I am really looking forward to this new opportunity. I worked for Kevin Mandia in 2002-2004 with Foundstone and for Travis Reese in 2004-2005 at ManTech International Corp.'s CFIA division. When I left ManTech to concentrate 100% on TaoSecurity, the first consulting I did was for Red Cliff, the precursor to MANDIANT. I also know many current members of the MANDIANT team from those three roles and subsequent relationships.

I believe in MANDIANT's mission and vision, which is important to me. While I enjoyed defending one enterprise with my old team, at MANDIANT I will be able to assist multiple organizations. As a member of the MANDIANT executive team I will also help set the direction for the company and will be able to work with the product, consulting, training, and managed services groups.

While many of you are familiar with MANDIANT's famous incident response consulting force, you may not be aware that the company continues to build a managed services team to provide dedicated, long-term detection and response options. By the end of the second quarter I expect my colleagues and I in the security services group to be announcing new job opportunities for those who enjoy hunting digital intruders. MANDIANT is already hiring aggressively for security talent, so keep your eyes on the job site for more information.

As you might expect, I plan to continue writing TaoSecurity Blog and sending TaoSecurity Tweets. I will still provide training such as TCP/IP Weapons School, but I expect to keep the same low number of classes as was the case with my previous employer. Currently I will be teaching at GTEC in DC on 31 May - 1 June, and then at Black Hat USA 30-31 July and again on 1-2 August. Two classes for USENIX this summer are still in coordination.

I enjoyed interacting with all of you over the last four years wearing my old hat, and I look forward to staying in touch via social media and at conferences in my new role! Thank you.

Tweet

Read More

Notes from SC Magazine

The July 2006 SC Magazine features some blogworthy stories. From Working for Gold, we see more opinions that calculating security ROI is a waste of time:

In recent years, the acronym of the day was ROSI — return on security investment. Analysts and security managers alike were struggling to find ways to measure security return on investment (ROI) and offer it up as proof to their bosses and executive boards that their money was being maximized. But the magic method to do this has never appeared. And some, such as André Gold, Continental Airlines' information security director, doubt it ever will.

"There are a lot of people out there who want to turn the information security department into a profit and loss (P&L) entity and I don't think you can do it," Gold says. "I ran our ecommerce environment for almost seven years and it was really easy to do ROI-type of metrics there. In my opinion you just don't have that in security."

Gold isn't alone. Increasingly, security professionals are dropping the goal of searching for ROI in favor of looking for better ways to communicate how security is making the most of its budget.

"I truly believe there is no real ROI," says Kevin Mandia, CEO of the security consultant firm Mandiant. "A lot of smart people have sat around trying to think about this for the last 10 years and nobody has come up with anything."

All you can do, he says, is detail the proactive things you've done to protect the company from identified threats, and when those thresholds are breached, discuss how fast you reacted to them.

Gold's philosophy is that as a risk management division, security is akin to insurance.

"Risk management is, I think, about insurance," he says. "Insurance doesn't have a P&L [profit and loss] associated with it. Insurance is what it is." (emphasis added)

Bingo. There's nothing more to say, except for my Road House example.

The same issue features What pill can I take for cyber insecurity? by Kevin Mandia of Mandiant, my friend and ex-Foundstone leader. He concludes by saying:

I think most of us agree that the majority of folks on the planet desire a world where there is no "buggy" software, no backdoors, no cyber intruders and no discernable security flaws in our software. It is time to salute smartly and prepare to battle on. Defending America's cyber infrastructure is going to be a lot like trying to cure a complex disease. The oldest known description of human cancer is found in Egyptian papyri written between 3000-1500 bc, and 3,500 years later we still do not have a cure. I expect similar results for cybersecurity. We can treat cyber insecurity, we can survive it, but we must learn to live with the fact that there may not be a cure.

Kevin is right, although I am hopeful there will indeed be a cure for cancer one day. I like to look at the issue in this light, though. We have been building homes for the same period that Kevin mentions -- even longer. This morning a contractor visited my home to inspect our roof for water leaks. With homes having a multi-thousand-year history, wouldn't you expect to have an absolutely water-proof home by now?

The answer is yes -- if you are willing to pay for it. There are seldom solutions to any problems -- only trade-offs. If you're willing to add $50,000 (?) to the cost of your house, maybe you can have a 100-year roof. That's a price I'm not willing to pay, since this repair will be (only!) $575.

We could approach a similar level with "security" if we were willing to abandon general purpose PCs, operating systems, and applications, wait 10 years, and then operate within an extremely narrow and probably fixed set of features. We'd also have to pay a great deal more.

Read More

Red Cliff Consulting, a Trusted Professional Services Firm

Today I spoke with Kevin Mandia, lead author of Incident Response and Computer Forensics, the best IR book available. When the first edition was published, Kevin was director of incident response and computer forensics at Foundstone. I met him in person at the first SANSFIRE conference in 2001. Kevin hired me to join Foundstone's IR team in early 2002, and I left the team in early 2004 a few months after he did.

Kevin is now running Red Cliff Consulting, a professional services firm headquartered in Alexandria, VA. He describes his group as "the experts that experts consult." I won't argue with that assessment. For example, Curtis Rose just joined Red Cliff, after working for years at Sytex. Curtis is one of the co-authors of the forthcoming book Real Digital Forensics, along with myself and Keith Jones.

Kevin will be speaking at Black Hat 2004 in Las Vegas in late July. He plans to discuss "the five things that are problematic in incident response." His public speaking engagements are always incredibly informative and entertaining. Before the Foundstone Christmas party in December 2002, the IR team discussed how funny it would be if Kevin described our team's work in Haiku form. Sure enough, our fearless leader delivered his entire talk in Haiku.

Kevin Mandia
Leading Foundstone's IR team
Puts bad guys in jail

In any case, if you need a group of trusted, experienced computer forensic consultants, check out Red Cliff's services.

Read More