Saturday, January 30, 2010

Mandiant M-Trends on APT

If you want to read a concise yet informative and clue-backed report on advanced persistent threat, I recommend completing this form to receive the first Mandiant M-Trends report.

Mandiant occupies a unique position with respect to this problem because they are one of only two security service companies with substantial counter-APT consulting experience.

You may read blog posts and commentary from other security service providers who either 1) suddenly claim counter-APT expertise or 2) deride "APT" as just a marketing term, or FUD, or some other term to hide their inexperience with this problem. The fact remains that, when organizations meet in closed forums to do real work on this problem, the names and faces are fairly constant. They don't include those trying to make an APT "splash" or those pretending APT is not a real problem.

Mandiant finishes its report with the following statement:

[T]his is a war of attrition against an enemy with extensive resources. It is a long fight, one that never ends. You will never declare victory.

I can already hear the skeptics saying "It never ends, so you can keep paying Mandiant consulting fees!" or "It never ends, so you can keep upgrading security products!" You're wrong, but nothing I say will convince some of you. The fact of the matter is that until the threat is addressed at the nation-state to nation-state level, victim organizations will continue to remain victims. This is not a problem that is going to be solved by victims better defending themselves. The cost is simply too great to take a vulnerability-centric approach. We need a threat-centric approach, where those with the authority to apply pressure on the threat are allowed to do so, using a variety of instruments of national power. This is the unfortunate reality of the conflict in which we are now engaged.

16 comments:

yoshi said...

vulnerability-centric approach

I've made this comment before but I will repeat it. I know of no organization taking a "vulnerability-centric" approach. None. And your nation-state comments are meaningless for organizations that has presences in every country in the world. When my points of presence is in China and I'm being attacked by someone in China - the US can do very little. But you are ex-military so I am not surprised by the limited point of view.

Anonymous said...

OK, I disagree with one point in the post (there aren't just two with substantial experience, I've been behind the same closed doors)...

However, I wanted to post in response to Yoshi. You do realize Bejtlich is a Director at ~GE~. And just because you assets distributed worldwide doesn't mean you are helpless. There are network designs, service models, segmentation, etc. that can be done. I think it's rather naive to dismiss this guy's viewpoint due to being ex-military when he is current ultra-corporate.

Jeffrey said...

Richard, while I agree on a threat-centric approach, the Mandiant report is an awful document. It vastly overstates the threat and in fact, isn't a report at all. It's a marketing white paper. I reviewed it here: http://intelfusion.net/wordpress/2010/01/30/remarks-on-the-mandiant-report-on-advanced-persistent-threat-apt/

Richard Bejtlich said...

Jeff, the irony here astounds me. Are you, a person who only *writes* about "cyber warfare," taking shots at people who actually *conduct* cyber warfare (at least defensively)? Your post is wrong on too many levels to mention in a comment alone.

Anonymous said...

The Problem isn't that I don't believe that a (maybe even significant) threat to the MIC and IP driven organizations isn't APT - the problem is that Mandiant's marketing wants us to believe that the APT is applicable to *every* network, regardless of what sort of information that network has to offer.

Right now, APT is just *not* applicable. It's not applicable to Level 3 and 4 merchants (at least). It's not applicable to healthcare (outside of the MIC). It's just not.

Now sure, Mandiant's marketing is just that, marketing, and we expect an amount of stupidity from *any* marketing organization. But theirs is based on exaggerating the applicability of the APT.

I'm with you, Rich - we used to just call the APT "nation-state threats" when we did work for the DOE & f500 energy concerns. I believe you that there is a real threat here. It's just not, to quote Mandiant's marketing "spy vs. everyone".

Richard Bejtlich said...

Anonymous, it's a valid point if you believe Mandiant wants you to think that it's APT vs everyone-in-the-world-including-your-grandmother. On the other hand, the problem really is a lot wider than many think.

Jeffrey said...

Oh my. First, I don't only write about it. GreyLogic engages in active collection and analysis of forensic data as well as geopolitical data. Examples of both are in our public reports.

Further, unless the Taliban is attacking U.S. networks in conjunction with their kinetic attacks in Afghanistan, no one that I know of is engaged in "defensive cyber warfare" in the United States. And since when is espionage considered warfare? Did they change the LOAC when I wasn't looking?

Richard Bejtlich said...

"no one that I know of is engaged in "defensive cyber warfare" in the United States."

Exactly.

Anonymous said...

i was going to read jeffrey's post

maybe not

come back in 10 years jeff, then ill listen

Michael Cloppert said...

Richard,

Good post. I agree with you here, and have a few brief comments.

I can already hear the skeptics saying...

First, I've found, it's easy to be a skeptic when you're incapable of observing the problem in the first place, or cannot frame the problem correctly. The latter is something we've both been trying to address for some time now in the public domain. Gaining problem appreciation through observation is a little more difficult on account of the operational security imperatives that impede complete exposure of this activity. Google did us a favor here, IMO.

Second, regarding threat versus vulnerability centric defense, I would say that nearly every organization takes a vulnerability-, or at best attack-centric approach. The classic IR model that nearly everyone uses, for instance, is attack-centric and does nothing to assist net defenders in leveraging threat intelligence for improving CND. It's merely an assessment activity after a compromise occurs. That's only a small part of the puzzle.

Finally (this comment is getting long - sorry), I think some of the commenters may be disagreeing simply because of variable definitions of 'war'. I will admit I hate using the term 'cyberwar' to describe this activity because it flirts with hyperbole, but contemporary scholars on the subject such as Greg Rattray in his seminal work Strategic Warfare in Cyberspace clearly place the topics we speak of here in the realm of 'war.' Whether or not matters of espionage are technically a 'war' is really an academic discussion; we shouldn't let it distract us from dealing with what the consensus of victims truly believes is a serious problem.

Anonymous said...

"...they are one of only two security service companies with substantial counter-APT consulting experience."

Who is the other one? Just wondering.

Jeffrey said...

Hi Mike, good to see you contributing to this discussion. I agree with your points to Richard with one exception. I don't believe its necessary to refer to acts of cyber espionage as "war" in order to treat it as a serious problem. Espionage is a very serious in and of itself, and is taken seriously - at least by GreyLogic's customers. Defining what constitutes an act of cyber warfare is difficult enough without co-mingling the terminology even further IMO.

Michael Cloppert said...

Jeff,

I don't believe its necessary to refer to acts of cyber espionage as "war" in order to treat it as a serious problem.

I didn't have any intention of suggesting that. In fact, that's why I made the following comment:

we shouldn't let it distract us from dealing with what the consensus of victims truly believes is a serious problem.

I think we're in agreement on those points.

I will add, though, that I feel the Mandiant report is important in the scheme of what we are trying to accomplish. There are plenty of decision-makers in affected industries who still do not appreciate the threat as it relates to CNE. Data and case studies are important in making the case.

CNA, OTOH, has much more traction due to its innate excitement, but the importance of the difference in strategic objectives achieved by each is often lost. If we aren't careful to articulate both, separately, they will be observed as the same and our collective management of the problem will be ineffective. For an example, consider any media report or opinion about stolen data that talks about "Cyber 9/11" in the same context.

Jeffrey said...

I agree that enterprises need a wake-up call, and I agree that Mandiant should continue to ring the APT bell so that, at the very least, people understand that DDoS is not the problem; that CNE is the problem. I also agree that the case studies presented in the report are very helpful up to a point. If I were a Fortune 1000 CEO and read that report, I'd have to question the accuracy of the case studies because of the excessive hyberbole and logical inconsistencies elsewhere in the report.

I won't belabor the point here because I already wrote two posts about it at my blog.

Anonymous said...

Hi Richard,

You said this in your post:

Mandiant occupies a unique position with respect to this problem because they are one of only two security service companies with substantial counter-APT consulting experience.

If you can disclose this information: Who is the security service company?

Anonymous said...

------
"no one that I know of is engaged in "defensive cyber warfare" in the United States."

Exactly.
------

Richard, brilliantly articulated explanation of the problem with Jeff's research. Unfortunately for Jeff size of ego has no direct correlation with amount of experience.