Tuesday, February 11, 2014

The Way-Back Machine on Mandiant and APT: Not a Who After All

Kaspersky's latest report about The Mask reminded me that Mandiant never did issue a statement re-defining APT as a what and not a who as Richard Bejtlich and I and some other Mandiant executives discussed by phone on February 21, 2013. Now that a year has almost passed without any acknowledgment, I thought it would be fun to go back in time and see how the gospel according to Mandiant on "the APT" used to go:

Here is a wonderfully prophetic quote by Rob Lee from a comment that he left on my Feb 28, 2011 blog post "Is APT a Who or a What?":
In the end, I might end up being one of the original “hackers” from MIT arguing over a term that became something else over time. And that is ok. I do feel that we aren’t there yet and we can still educate when we have a chance.
Rob gets an "A" for his prophetic abilities but an "F" for his past dogmatism.

Then there's Richard Bejtlich who got into more heated arguments over the Who v What categorization than anyone else I know.

The following quote came from a lengthy back and forth debate that Richard had with a commenter on his January 16, 2010 blog post "What is APT and What Does It Want?":

On April 15, 2010 Richard corrected Dan Geer's interpretation of APT from an article that Dan published called "Advanced Persistant Threat". Richard received notice of Dan's article from several people because back then anyone who didn't follow the Mandiant line of "APT is a Who, not a What" was immediately piled on and "educated" (to use Rob Lee's term). Anyway, Dan wrote: "Let us define the term for the purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute.

Richard, while agreeing with most of Dan's article, couldn't let the word "effort" go un-corrected, and wrote: 
"That describes APT's methodology, but APT is not an effort -- it's a proper noun, i.e., a specific party."
Back in 2010, Richard, Mandiant and other long-time cybersecurity professionals were convinced that cyber crime groups didn't steal intellectual property. They saw the problem in clear-cut, stark terms. Eastern Europeans and Russians stole from banks. Chinese groups stole intellectual property. And all you Gh0stbusters out there better keep those two streams separate. Some of us knew back then that was bullshit and said so but we were a tiny minority.

In "Answering APT Misconceptions", Richard writes:
"Unfortunately, there's plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening."
 "Myth 2. APT is "not new." Reality: APT is only new to people who have not been involved with the problem. If you look solely at offender and motive, and exclude defender, means, and opportunity, you're likely to think APT is not new; you'd be wrong. Just performing an Attribution Using 20 Characteristics exercise helps demonstrate that APT is not like organized crime or other structured attackers."

It's OK to be wrong.

I'm not hammering Rob Lee and Richard Bejtlich because they were wrong about how they defined APT. I've been wrong more times than I've been right, just like I've failed more times than I've succeeded. There's nothing wrong with being wrong assuming that you weren't behaving maliciously. 

The lesson to take from this is to not be dogmatic about what an elephant looks like when you can't see the entire elephant. We do that all too often as an industry. And when the time has come (and past) that you've been proven wrong, it doesn't hurt to acknowledge that fact to those people who you deemed "not capable of understanding" your own flawed view of the world.

No comments:

Post a Comment