Attribution Meh. Indicators YEAH!
In addition to all the cycles we spent in our weekly research meeting trying to come up with cool t-shirt ideas featuring APT1, we also spent a bunch of time talking about the real impact of the Mandiant report, and how hacking for the Chinese is just different than what the US (and most other governments) do.
I’m pretty sure Rich will do a much more detailed post on this, following up on his great House of Cybercards ideas. But suffice it to say you probably wouldn’t get much of a hearing if you asked the US military apparatus to help figure out what price a Chinese competitor was planning to bid on a big power plant in South America. But the Chinese have no issue with hacking into all sorts of places to assist their commercial entities, many of which are still at least partially owned by the government. But that’s another discussion for another day – one with a lot of beer.
I want to follow up on this week’s Incite snippet, Attribution. Meh. Indicators. WIN! on what I see as the real value of Mandiant’s report. It’s not like most of us in the industry didn’t know that the Chinese military was behind a lot of the so-called APT activity. Now we have a building to go visit. Whoopee! I was far more interested to see the malware indicators they found published, if only to see how some smart folks will use that information to help the industry.
First send some kudos over to the folks at Tenable, who quickly posted checks you can load directly into Nessus to look for the malware. Part of the reason to do malware analysis in the first place is to be able to search for those indicators within your environment, using tools you already have.
This audit file determines possible infections by several of the malware items identified in the Mandiant Intelligence Center Report – APT1: Exposing One of China’s Cyber Espionage Units. It includes checks for 34 of the malware variants identified in Appendix C The Malware Arsenal. The audit file utilizes a combination of registry checks and file system checks to find hosts that might likely be at risk or infected.
Wesley McGrew’s students at Mississippi State also got a little gift, in terms of a bunch of new samples to analyze, as described by TechWorld. It’s great to see students able to learn on real world ammo.
“Oh, it’s fantastic,” said McGrew, who will defend his doctoral thesis on the security of SCADA (supervisory control and data acquisition) systems next month. “The importance of having malware that has an impact on the economic advantage of one company over another or the security of a nation is priceless. This is exactly what they should be learning to look at.”
Not to get all New School now, but access to the malware and associated indicators used in many of these advanced attacks can be instructive for tons of reasons. We can only hope this is the first of many instances where the industry works together to improve the practice of security, as opposed to competing against each other for purely economic gain. Yeah, not sure what I was thinking with that last statement.