Remarks on the Mandiant Report on Advanced Persistent Threat (APT)

Last Updated on Tuesday, 2 February 2010 04:59 Written by admin Saturday, 30 January 2010 11:23

UPDATE (02 Feb 2010): I was contacted by Rob Lee, a Director at Mandiant, who informed me that their report was written by Mandiant employees (including himself) and, contrary to my suspicion, was not farmed out to a White Paper vendor. I appreciate Rob making the effort to contact me and provide correct data and I have lined out the offending sentence to reflect the change. I also edited out my closing sentence. Re-reading it, I may have been a bit too harsh, particularly since Rob made the effort to contact me when he didn’t have to.

———

A lot has been written about Mandiant’s report on a method of network attack and exploitation called “Advanced Persistent Threat“, a term coined by the U.S. Air Force in 2006 and recently adapted to network attacks by Mandiant (whose CEO, COO, CFO, and VP of Products are all Air Force veterans).

The first and most important thing to note is that this is not a report at all. It’s a white paper, and a white paper, when its created by a commercial concern,  is a marketing document that delivers information in an easily identifiable way:

  1. it describes a problem which its potential customer base is having trouble with
  2. it offers a solution that it wants potential customers to believe is best implemented by the commercial concern

Mandiant’s paper does not say who wrote it, which is another characteristic of marketing white papers, particularly when they are contracted out to a specialty white paper house which I suspect was the case with this one.

A further give-away that you should treat this report as a marketing document comes with its excessive use of adjectives like “dramatic increase” and “superbly capable teams of attackers” as well as over-generalizations (“the APT successfully compromises any target it desires”, “conventional defenses are ineffective”). And if that isn’t enough, there’s logical inconsistencies like this one: “Although the U.S. government and defense communities are aware of and countering APT attacks, many victims and targets are unaware and unequipped…. This report outlines trends, techniques, and real details of how the APT successfully compromises any target it desires.” Yeah…. No.

Whoever wrote this paper for Mandiant just expressed a logically impossible scenario. Either Gov and DoD are countering APT attacks, or APT successfully compromises any target it desires. It cannot be both. Furthermore, it’s blatantly untrue. The Department of the Interior’s cyber security is among the worst anywhere according to multiple Inspector General reports. The FAA has had numerous embarrassing incidents as well as the Department of Energy’s National Nuclear Security Administration. So, Mandiant, are you telling me that the DoI, FAA, and DoE can’t handle the most mundane of cyber threats but they are aware of and successfully countering sophisticated APT attacks?

All of the above is just from page 2 – the Executive Summary. Since the Executive Summary is supposed to deliver the key findings to the reader, here’s the message that it delivered to me and, I bet, to many other InfoSec and Intelligence professionals:

Mandiant’s goal in this report is to increase its customer base by over-stating a threat while promoting its services as the sole or best solution to that threat.

And speaking of promotion of services, that’s done twice. At the end of the Executive Summary, and at the end of the report.

Moving on to the body of the report, you’ll find this diagram of Mandiant’s APT lifecycle:

Now compare that to the diagram from the Chinese IW report and the model described in chapter 10 of my book which I outlined here. They all describe the same methodology because this is, generally speaking, how espionage has been conducted for thousands of years, albeit recast in the technology of the moment – the Internet. It is NOT because APT is some new kind of super-threat that “successfully compromises any target it desires“.

Shame on Mandiant for promoting this piece of marketing hype as a “report”. If I were a customer of their’s and read this paper, I’d have serious reservations about continuing with them on any scale whatsoever.

Tags: , , ,

This entry was posted on Saturday, January 30th, 2010 at 11:23 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Comments

  1. Richard Bejtlich   |  Saturday, 30 January 2010 at 2:01 pm

    Jeff, just one comment on this crazy post. You realize that Mandiant’s graphic reminds you of the graphic you copied from “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation” because they describe the SAME THREAT (APT), and not some generic “espionage” model? In other words, Northrop’s report offers a similar model because they and Mandiant are both describing what *they have seen* (i.e., not what *you have seen*) when doing counter-APT work?

  2. admin   |  Saturday, 30 January 2010 at 2:26 pm

    Richard, had I created a diagram of the threat model described in Inside Cyber Warfare, which I and my colleagues have also “seen”, it would have been similar as well. Not because APT is new, but because the covert penetration of networks and exfiltration of data is universally the same in principal, whether those networks are virtual or physical.

    What I don’t understand is why you didn’t comment on the grossly exaggerated language used in this white paper. Do you disagree with me that over-stating the case hurts more often than helps?

  3. Sandro Süffert   |  Tuesday, 02 February 2010 at 5:42 pm

    Dear Jeff, Richard (and Rob) – the APT buzzword is really making the news. IMHO this is good – not for the FUD factor but because now they are not *so stealth* anymore – at least in the sense of general knowledge, not visibility.

    It will be interesting to see how governments, companies and respected security professionals like you guys will keep the pace in this new frontier that many of us are seeing now.

    Bottom line: stop fighting and fight back! =)

    Sandro Süffert, ACE, EnCE, HTCIA

  4. admin   |  Tuesday, 02 February 2010 at 6:49 pm

    Thanks, Sandro. Speaking for myself, I’m not fighting with either of these guys. Sometimes well-meaning parties disagree, plus debate is how our brains get exercise. :-)

  5. H. Carvey   |  Tuesday, 09 March 2010 at 10:57 am

    The buzzword has made it’s rounds and is still getting attention, but without a good solid understanding of what it means, I’m not really clear on how this all suddenly becomes “not stealth”.

    I think that the real issue here is that regardless of what it’s called, there’s not a firm understanding across the board of what this represents. I have no doubt that certain folks know, but I also see where some have taken inferred aspects of the Mandiant report (“inferred” because those aspects weren’t specified) and have announced, “okay…what I have here is also ‘APT’”, only to be told “no”.

    The lack of information is apparently important, but has also led to speculation by others, including the media.

Leave a Reply