Dailydave mailing list archives
Re: Late Friday thoughts on the Kevin Mandia RSAC keynote.
From: Richard Bejtlich <taosecurity () gmail com>
Date: Mon, 24 Mar 2014 12:14:40 -0400
I'm glad you thought it worthwhile to analyze whatever you analyzed, but after our report was public, the heads of the House and Senate Intel Committees, NSA, and others I won't name, said Mandiant got the attribution correct. Sincerely, Richard On Mon, Mar 24, 2014 at 11:30 AM, J. Oquendo <joquendo () e-fensive net> wrote:
On Mon, 24 Mar 2014, Richard Bejtlich wrote:On Sun, Mar 23, 2014 at 11:24 AM, Moses Hernandez <moses () moses io> wrote:Dave, Quick Q: You referring to this particular statement (I paused it): Highlights - Technical - In over 97% of the 2,672 separate APT1 intrusions Mandiant observed (into 141 companies), APT1 used IP addresses registered in Shanghai. So that statement tells me that those are just the APT1 intrusions not all of the Mandiant referenced intrusions. APT1 itself is said to use IP addresses registered in Shanghai. Is that by itself clever misdirection? Maybe. Are there other 'APT' style groups that go undetected from various nations?Moses is right. Dave misunderstood what Kevin said. Also, APT1 is only one of two dozen or so Chinese groups Mandiant tracks. We also track Russians, etc.With all due respect to your researchers, colleagues, etc, I took your APT1 data, ran it through all sorts of analysis' all sorts of recon and I could not for the life of my come to the same conclusions that you guys did. All your data run through Sentinel Analysis http://www.infiltrated.net/aptredux/ There is no voodoo, dirty tricks there, its all recorded for all to see. Here is a mind map of all of Mandiant's data: http://infiltrated.net/straggler-f211596a8ac0cac13983ad2b98a71108/straggler-mapped.html 70% plus, were mapped to one industry, not CN government. Did you guys (Mandiant) omit some secret sauce, because I still have a difficult time piecing together how - outside of an IP address, and one name (UglyGorilla) - you guys can even attribute this to CN gov. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Late Friday thoughts on the Kevin Mandia RSAC keynote. Dave Aitel (Mar 21)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Moses Hernandez (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. J. Oquendo (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. security curmudgeon (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. J. Oquendo (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Alfonso De Gregorio (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Dan Guido (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Haroon Meer (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. xgermx (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Val Smith (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Kyle Maxwell (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Moses Hernandez (Mar 24)