In the twelve days that followed publication on the evening of Monday the 18th, I've been very pleased by the amount of constructive commentary and related research published online.
In this post I'd like to list those contributions that I believe merit attention, in the event you missed them the first time around.
These sorts of posts are examples of what the security community can do to advance our collective capability to counter digital threats.
Please note I avoided mass media accounts, interviews with Mandiant team members, and most general commentary.
They are listed in no particular order.
- Seth Hall (Bro): Watching for the APT1 Intelligence
- Jason Wood (SecureIdeas): Reading the Mandiant APT1 Report
- Chris Sanders: Making the Mandiant APT1 Report Actionable
- Symantec: APT1: Q&A on Attacks by the Comment Crew
- Tekdefense (NoVA Infosec): MASTIFF Analysis of APT1
- Chort Row (@chort0): Analyzing APT1 with Cuckoobox, Volatility, and Yara
- Ron Gula (Tenable): We have Microsoft Tuesday, so how long until we have Indicator Wednesday?
- OpenDNS Umbrella Labs:An intimate look at APT1, China’s Cyber-Espionage Threat
- Chris Lew (Mandiant): Chinese Advanced Persistent Threats: Corporate Cyber Espionage Processes and Organizations (BSidesSF, slides not online yet)
- Adam Segal: Hacking back, signaling, and state-society relations
- Snorby Labs: APT Intelligence Update
- Wendy Nather: Exercises left to the reader
- Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion for Splunk
- Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA
- Kevin Wilcox: NSM With Bro-IDS Part 5: In-house Modules to Leverage Outside Threat Intelligence
- Cyb3rsleuth: Chinese Threat Actor Part 5
- David Bianco: The Pyramid of Pain
- Wesley McGrew: Mapping of Mandiant APT1 malware names to available samples
- Russ McRee: Toolsmith: Redline, APT1, and you – we’re all owned
- Jaime Blasco ( AlienVault Labs): Yara rules for APT1/Comment Crew malware arsenal
- Brandon Dixon: Mandiant APT2 Report Lure
- Seculert: Spear-Phishing with Mandiant APT Report
- PhishMe: How PhishMe addresses the top attack method cited in Mandiant’s APT1 report
- Rich Mogull (Securosis): Why China's Hacking is Different
- China Digital Times: Netizens Gather Further Evidence of PLA Hacking
M-Unition (Mandiant) published Netizen Research Bolsters APT1 Attribution.
Thank you to those who took the time to share what you found when analyzing related APT1 data, or when showing how to use APT1 indicators to do detection and response.