Dailydave mailing list archives
Re: Late Friday thoughts on the Kevin Mandia RSAC keynote.
From: "J. Oquendo" <joquendo () e-fensive net>
Date: Tue, 25 Mar 2014 07:38:00 -0500
On Mon, 24 Mar 2014, Richard Bejtlich wrote:
...and this is why I don't usually respond here. It's time for me to leave the list. Good luck, Richard
Again, with great respect, I think its only fair to keep it on topic. You initially stated: "whatever it was I analyzed" which happened to be whatever it was Mandiant made public on the APT1 report. There was, and is no sleight of hand in the video, all data came from your company's report. Let me take it back a step for others who don't - or may not know - about the report (APT1). The initial data came via way of an INFRAGARD report that was to be released the same day, which coincided with the RSA conference. The report is labeled JIB-260425. How do I know this? In the field of malware reversing, analysis, it happens to be a small field, and its easy to get samples and see data. This is how researchers secretly crowdsource to find answers, this is not a big secret, most in compsec circles have been doing this for years. Prior to your APT1 report, I already had some of the addresses you mentioned under the microscope, their tactics, techniques, "indicators of compromise", and what exactly they were doing. MANY of those addresses in your report were "straddling" the line with financial based malware: bank account/credit card theft, XSS attacks, etc. From a "cyber psychological" perspective, it made no sense for a "gov" sponsored team to target say the Pentagon, but on a slight note, let me go hit up 10,000 bank accounts. Logical "cyber psychological" deflection theory made less sense: "they're targeting mil/gov space, but ALSO attacking finance to make it seem like its an organized crime group" made lesser sense. From an operational security standpoint, here you have "the holy grail of hacks" (Fortune N's) being attacked, unseen for 1,2,3-7 years at that [1]. Such sophistication, yet they'd risk this to deflect attention elsewhere? Forget that, they'd also host their C&C's and data dump servers with known to be RBN hosts? Its akin to a bank robber, robbing a bank, then stashing the money in a known drug den frequented by other bank robbers. This makes ZERO sense from any logical/common sense perspective. Many C&C clusters, malware groups, even nation sponsored groups are under the microscope by many researchers. Shadowserve, Team Cymru, individual researchers. Many can, and do collaborate to determine what is really going on. In the instance of APT1, I found only two conclusions as to the labeling of the data as "gov sponsored cyber anything." 1) Mandiant's researchers relied on tell-tale identifiers (IP address, language used in an operating system, strings) which can easily be changed, can never identify anyone. 2) Mandiant in a rush to make RSA conference news took the JIB report and ommitted a lot of relevant information. On 1, I keep seeing researchers make statements such as: we don't only rely on IP addresses, or language to determine who to attribute the attack to. For this I beg of ANY other researcher: "fill me on please" because I have been doing this for a "little while" now, and I cannot find any other mechanism of attribution outside of: "they came from X, targeted Y, using Z tactics" which tell me little. On 2, I "get it" security is always "business as usual" however, this (cyber) is a bit different. When governments have the potential for any kind of warfare, physical, economic, etc., its a dangerous ground to point fingers knowing there is no solid basis for it, it can push relationships towards a negative path. The "data I analyzed" (whatever I analyzed, which happens to be whatever Mandiant put forth, which is also, what I already had via the JIB report) shows ACCURATELY that the same group(s) named as "Unit 61398" aka the Chinese government, pointed mainly back to ONE individual. EACH and EVERY one of those I was able to identify, have a business and it is in ONLY one industry: Travel and tourism. There is no variance there. They aren't from the trucking, industry AND the defense industry AND the Chinese gov. They were from the Travel industry. They ALL also have a commonality with one name that popped up: "Hu Weisheng" who is a "suspected mob boss" in China: "300 armed police arrest suspected mob boss in Guangdong" http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20120624000053&cid=1103 Late last year, your boss Kevin Mandia was targeted [2], and I immediately went back and thought: "Wow, what better way to target any foreigner coming into your country, when you have dibs on their every move. Their itineraries, their every move can be tracked. You'd know where they're going, where they're staying, and so forth. Do you think solely government would want this data? Data is king period. Where there is money to be made, is it that far fetched to think that an organized crime group, would be in the "Espionage as a Service" game? You know, steal everything, sell and re-sell to the highest bidder, then re-sell it again, and again? [1] http://www.wired.com/threatlevel/2014/02/mask/ [2] http://www.infosecurity-magazine.com/view/35048/hackers-target-mandiant-ceo-via-limo-service/ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Late Friday thoughts on the Kevin Mandia RSAC keynote. Dave Aitel (Mar 21)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Moses Hernandez (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. J. Oquendo (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. security curmudgeon (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. J. Oquendo (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Alfonso De Gregorio (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Dan Guido (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Haroon Meer (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. xgermx (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Val Smith (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Kyle Maxwell (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Moses Hernandez (Mar 24)