Threat Intel Disclosure for Profit, or Progress?

Unless you have been hiding under a Russian meteorite for the past two weeks, you’ll have heard – and perhaps even read in its entirety the seventy four page monolith ingeniously released by Mandiant, just a week before RSA 2013 and the launch of Mandiant into the cyber intelligence services domain. Since the publication of their unusually detailed report, there has been significant chatter, calling into question both the accuracy of and motivation behind publication of the document. While I don’t doubt that some of the inaccuracies alluded to by armchair commentators in the tweetsphere may have some merit, I found the report to have been pretty thorough and technically accurate.

Mandiant are certainly not the only organization in the information security domain that possesses this type of intelligence. Multiple companies in the security space have all bolstered their capacity to gather the type of intelligence demonstrated in Mandiants report over the past few years. Mandiant however are the first to publish such a report in the open. This will without a doubt, come as a frustration to Mandiants competitors who have also been keeping a close eye on what most know as the Comment Crew (or APT1 in Mandiant-speak). Simply put; much like a group of photographers, quietly documenting rare species of bird, Mandiant got its fill of pictures and scared the thing off. This is something that Mandiant appears to recognize in the report, although I do wonder how much they might have coordinated (if at all) with their industry peers who may also have been watching the Comment Crews operations, prior to making the document public. As a private industry, we call for the US Government to share data and work better together. If we aren’t prepared to coordinate in the same way, this seems something of a double standard to me. Certainly, I know of at least one industry colleague whose only thought on the matter was that they came into work one morning, to find almost two years of work lost into the ethers.

Regardless of where you stand on the intelligence disclosure issue, the fact is that the report is now out there; and will undoubtedly have a lasting impact on the public’s perception of the Chinese threat. It’s an unfortunate fact, that the people that need the most education on this topic are not cyber security professionals, or even individuals in the IT industry; but the average vote casting citizen, who ultimately have the sway to elevate this as an issue throughout the national workforce and to help bolster this as tier one issue for future political candidates. The day that the report was released, I received numerous phone calls, emails and IM’s from friends and family, many of whom couldn’t be more far removed from the infosec business. It then became clear, that what Mandiant had done was nothing short of a stroke of genius, both in elevating this as a topic, well outside of the usual reaches of cyber security news feeds; and in elevating their brand amongst a group of individuals who probably couldn’t tell you the name of their anti-virus vendor, or what version of Windows they currently run.

For more technical audiences and particularly those who live in the threat intelligence world, the report had far less to offer. Indeed, much of the data in the report has existed in the community (albeit behind closed doors) for over two years and likely frustrated many through its very release and the frequent use of Mandiant’s APT numbering system, which they fail to point out is an entirely proprietary nomenclature. All in all though, the report is a necessary evil, which although will inevitably cause some short-term pain for folks in the threat intel space (Mandiant included), will hopefully permanently elevate the topic of state sponsored cyber espionage as an issue amongst a new audience and add further pressure on policy makers to exert pressure on nation states funding such attacks.

Tom Parker is CTO of FusionX LLC