Friday, July 11, 2014

Airbus Defense and Space's First APT Threat Intelligence Report: Nice Work!

I've been a frequent and vocal critic of many threat intelligence reports issued by the usual players in information security. So it was very refreshing to read this report by Cassidian CyberSecurity (now a part of Airbus Defense and Space) on an APT threat actor that they named "Pitty Tiger".

I haven't studied the report yet but I did give it a quick read and want to congratulate the team of researchers including David Bizeul who did such an outstanding job in 2007 with his report on the Russian Business Network.

Here's what I really appreciated about the Pitty Tiger report:

APT Threat Actors - Not State Sponsored
Pitty Tiger is described as a Chinese group of hackers who demonstrated poor operational security (similar to the carelessness shown by members of Mandiant's APT1) as inexperienced hackers who were out to make a quick buck rather than bored or careless soldiers working for the PLA:
Pitty Tiger is probably not a state-sponsored group of attackers. The attackers lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.
This is the first time that I recall reading a security intelligence report which didn't portray the hackers as state-sponsored, state-affiliated or employed by the PLA. That in and of itself is news-worthy as far as I'm concerned.

The researchers refer to an "opportunistic business model", something that I and other security researchers like J. Oquendo and Peter Mattis have written about as well.

Use of the term "White Paper"
The authors properly categorized their threat intelligence report as a white paper, which it is because it has marketing value for the company. Many well-known cyber security companies who issue security intelligence reports fail to acknowledge that.

Responsible Attribution
The researchers exercised restraint and used cautious language in their attribution section. They didn't make baseless assumptions about "real names" or jump to any conclusions about the identities or affiliations of the hackers.

Kudos to the Airbus team for this report. Please keep them coming.

No comments:

Post a Comment