Mandiant's APT1: Revisited

The Mandiant APT1 report made our industry stronger by encouraging -- if not forcing -- information sharing. By Nick Selby

In February, Mandiant released APT1: Exposing One of China's Cyber Espionage Units, a 74-page tome that told the story of a professional cyber-espionage group that, if it's not sponsored by the Chinese government, certainly operated with its knowledge. Mandiant also released more than 3,000 APT1 indicators, comprising domain names, IP addresses, X.509 encryption certificates and MD5 hashes of malware.

By publishing the report, Mandiant raised huge publicity for itself (it was not coincidence the report was released just before the RSA Security Conference, the industry's biggest confab). For the first time, mainstream news outlets outside the info-security press ran detailed stories of nation-state hacking in terms that were clear to non-technical readers and executives.

The criticism began almost immediately. There were three main camps of criticism:

  • Criticism of Mandiant's motivations - they did it for the media coverage;
    • A subset of this criticism is the, Oh, these guys weren't really so bad...Mandiant's blowing this out of proportion to get more media coverage school of thought
  • Criticism of the conclusions, methods and sources used by Mandiant; and
  • Criticism of Mandiant's running rough-shod over the operational security of researchers actively combating APT out of China

In this post, with the benefit of 20:20 hindsight and the perspective afforded by the passage of time, I will address those three concerns. Rebuttals will be published in this space from ThreatGrid's professional services head Paul Davis and information security threat researcher Lance James, chief scientist at Vigilant.

The Mandiant APT1 report made our industry stronger by encouraging - if not forcing - information sharing. The cost to researchers and investigators with active cases was low: Mandiant publicized information already known to our community at a high level, and added details that allowed an exponentially larger-than-ever group of defenders to leverage the intelligence for defensive purposes. Finally, the report was a piece of brilliant marketing in that it provided exactly what every customer wants and few ever get: attribution of threats and attacks to a specific group of actors.

Why Clients Want Attribution

Every customer who has been hacked; every executive being asked to sign a check to fix a breach, to prevent another one - they all want to know, "Who did this to me?" It's not a question of prosecution. Most of these customers would really never want to prosecute - they don't want the publicity. And despite some titillating conference panel discussions, it's not even a question of retribution. Most of these customers wouldn't dream of a strikeback, except in an offhand, revenge-fantasy kind of thing; it's Inglorious Basterds; it's that guy in high school whose car you wanted to push over a cliff.

Desire to know "who did this?" is merely human nature. And why do we information security professionals deny the customer this primal desire?

Because of our egos.

There's a complex and richly structured set of lies we tell ourselves: that our work is really Secret Squirrel and Important stuff, and this stuff is black arts and double-secret classified, entrusted to Us and so, above all, we must maintain Op-Sec! lest someone else see this valuable and Important information.

Op-Sec - the Kind InfoSec People Discuss When Telling You Why They Can't Answer A Question - Is Often Hooey

Op-sec, it is said by the Twitterati, protects our Ops (See what I did there? Spook-speak!). If we don't protect our Sources and Methods (Ibid.) or if we reveal what we know, then the enemy will have a tactical advantage and we can't interrupt their Kill-Chain (Ibid.).

Tosh. Buffalo bagels. Self-aggrandizing balderdash. Hey! We're watching network traffic and finding evidence in memory and hard drives. They're rarely covered with blood, and almost never contain a holographic projection of a princess begging for help. What we see is evidence of workaday plots to steal information.


For a range of reasons including client self-inflicted blindness, the threat research, threat-intelligence and incident response field is covering, by my estimation, 5% to 10% of the incidents out there that we know about. Within that slice, we're making progress - that is, establishing actual attribution - about 5% of the time, and actually using that evidence for criminal prosecution at some level measured in basis points.

At a minimum, we as a community are over-classifying - a mistake that's merely annoying when the FBI does it, but which leads to real information sharing disfunction when we do it to one another.

Put simply: Information Security Op-Sec in the name of protecting these few victories actually lowers our efficacy rate, and comes at the cost of not meeting our customers' primal need to understand what's happening to them.

This makes even our statistically rare victories pyrrhic, because when we say, "Oh, we know this group...they're really bad," our clients disbelieve us, question our motives and the veracity of the little bit of mysterioso-sounding double-speak we do give them.

[Oh, and as a side note: Telling a customer, who has paid you money, that the PLA may be hacking them? Not an Op-Sec violation. Telling a newspaper reporter that your client is Pwn3d? Yeah, that is an Op-Sec Violation. Here's a pop-quiz: Where along the Op-Sec Continuum would you place this information security practitioner who gave quotes that divulged actual customer details to a news-service reporter? If this was not a comment on background that was inadvertently quoted (and it would seem not to be, as the article was published some time ago and has not been corrected) then this quote would probably break, at a minimum, multiple commercial non-disclosure agreements, and certainly flouts everything that security people swear never to do. Oh, and it's, like, totally un-cool.]

Self-Serving? You Betcha. Let's See You Serve So Many By Serving Yourself, Bub

Was the report self-serving? Of course it was; Mandiant is a profit-seeking enterprise. But here's the crucial question:

Did the Mandiant APT1 report enhance our ability to carry out our mission?

If the answer is yes, then they can self-serve all they want, in the name of enlightened self-interest.

The answer is definitively, 'Yes'

Mandiant's APT1 report helped the Information Security mission by reducing by 25 minutes the "Is this real?" conversation we have at every engagement. By discussing the actual tactics, techniques and procedures, and showing the photograph of a building they claim to be the World HQ For People Who Mess With You, the report reduced by 50% the "Really? They do that?" conversation.

That is crucially important. Run your mouse over the links above - that's every major news outlet in the world. Only Mandiant had the PR juice and fundamental chutzpah to put this all out there and be taken seriously by KXLT-TV, Mason City.

Did the publicity help Mandiant? Of course it did, as it should have.

But it also greatly helped us as a community.

APT1: The Bataan Death March Towards Industry Cooperation

How did it help us? Within a week we had massive discussion chains running on the Internet with Me, Too!! posts from vendors and other helpful souls like those at Bro, AlienVault and others putting out ways to leverage the information in the report and the additional source material. Why do I mention this? Because the popularity of the Mandiant report forced the community to share stuff as never before, if only to catch some of the trail of that gnarly tube Mandiant was surfing.

So don't give me your Op-Sec bullpuckey - let's go for Sec. Once we have Sec, then you can play Cyber War with your little secret Ops and not share information that is of use to us all.

"...But The APT1 People Are Not The A-Team!"

Brother, I've seen what the C- and D-team can do, and let me tell you something: we Op-Sec-loving InfoSec people work for companies that, for whatever reason, suck so badly at protecting themselves that the flippin' J-team can run you around in circles and grab your domain controller months or years before you notice. Mandiant should have released their information on the A-Team?

A-Team? You can't even handle the A-Team's teenage kids.

In Summary

Mandiant helped the community by throwing open the doors and letting us see that, even when the Chinese know that we are looking at them, we can still look at them and the world won't end.

It helped us understand that, only through publicity and marketing will security vendors "care" enough about the community they claim to love so much that they will release enough information for all of us to have more arrows in our quivers and more tools at our disposal for defense.

It showed that even the "Not The A-Team" can wreak havoc on industries for more than six years.

It showed that we are stronger when we team up and stop pretending to be secret agents with classified crucial information, unclench our sphincters and share, than we are when we try to hold on to every little thing in the name of "Op-Sec".

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)