Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days
In the twelve days that followed publication on the evening of Monday the 18th, I've been very pleased by the amount of constructive commentary and related research published online.
In this post I'd like to list those contributions that I believe merit attention, in the event you missed them the first time around.
These sorts of posts are examples of what the security community can do to advance our collective capability to counter digital threats.
Please note I avoided mass media accounts, interviews with Mandiant team members, and most general commentary.
They are listed in no particular order.
- Seth Hall (Bro): Watching for the APT1 Intelligence
- Jason Wood (SecureIdeas): Reading the Mandiant APT1 Report
- Chris Sanders: Making the Mandiant APT1 Report Actionable
- Symantec: APT1: Q&A on Attacks by the Comment Crew
- Tekdefense (NoVA Infosec): MASTIFF Analysis of APT1
- Chort Row (@chort0): Analyzing APT1 with Cuckoobox, Volatility, and Yara
- Ron Gula (Tenable): We have Microsoft Tuesday, so how long until we have Indicator Wednesday?
- OpenDNS Umbrella Labs:An intimate look at APT1, China’s Cyber-Espionage Threat
- Chris Lew (Mandiant): Chinese Advanced Persistent Threats: Corporate Cyber Espionage Processes and Organizations (BSidesSF, slides not online yet)
- Adam Segal: Hacking back, signaling, and state-society relations
- Snorby Labs: APT Intelligence Update
- Wendy Nather: Exercises left to the reader
- Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion for Splunk
- Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA
- Kevin Wilcox: NSM With Bro-IDS Part 5: In-house Modules to Leverage Outside Threat Intelligence
- Cyb3rsleuth: Chinese Threat Actor Part 5
- David Bianco: The Pyramid of Pain
- Wesley McGrew: Mapping of Mandiant APT1 malware names to available samples
- Russ McRee: Toolsmith: Redline, APT1, and you – we’re all owned
- Jaime Blasco ( AlienVault Labs): Yara rules for APT1/Comment Crew malware arsenal
- Brandon Dixon: Mandiant APT2 Report Lure
- Seculert: Spear-Phishing with Mandiant APT Report
- PhishMe: How PhishMe addresses the top attack method cited in Mandiant’s APT1 report
- Rich Mogull (Securosis): Why China's Hacking is Different
- China Digital Times: Netizens Gather Further Evidence of PLA Hacking
M-Unition (Mandiant) published Netizen Research Bolsters APT1 Attribution.
I'd also like to cite Verizon for their comments and mention of IOCExtractor and Symantec for publishing their indicators via Pastebin after I asked about it.
Thank you to those who took the time to share what you found when analyzing related APT1 data, or when showing how to use APT1 indicators to do detection and response.
Comments
Thanks for listing the Secure Ideas blog on this. I just wanted to make one correction, it was not written by me (Kevin Johnson) but by Jason Wood, one of our consultants.
Thanks
Kevin
I think that publishing SSL certificates used by the APT1 malware was great idea.
Could Mandiant release APT1 SSL certificates (from appendix F) in PEM format or at least provide fingerprints (md5, sha1) for published certificates? I would like to add capability to detect those certificates by the Nmap network scanner but to do this I need at least sha1 fingerprints. AFAIK converting certificates from text format (format in which APT1 certificates are now available) to PEM is quite complicated.
Thanks in advance.
Mariusz
http://www.joshd.ca/content/making-mandiant-apt1-intel-actionable-using-splunk
Thanks Richard