<div dir="ltr"><div>This argument by Bejtlich really makes me angry and it's representative of the way that we seem to deal with cyber attribution out in the open. There are a lot of gaps in the APT1 report that make those not "in the know" question the results. In my opinion, that kind of questioning is deserved.</div>
<div><br></div><div>Our response to it is "there's secret evidence that you can't see but trust us it's China". Who do you think that's convincing? I think the only people who are swayed by that information are the Chinese, who then promptly change the TTPs they care about.</div>
<div><br></div><div>It seems like we're straddling this awful middle ground, where we don't want to drop EVERYTHING we know because then "they'll know we know" but we don't want to or can't remain wholly silent or actually take meaningful defensive action. Instead, we're left with one hand trying to hold up our pants, and a second hand alternating between covering our own mouths, and pointing and yelling at China.</div>
<div><br></div><div>Why? I really bet that "the APT" can get enough out of our actions to know when to change what they do. I bet that they change what they do enough even without us dropping what we know, when we know it. So why this middle stance? It seems to just make us look mindless and impotent.</div>
<div><br></div><div>-Dan</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Mar 24, 2014 at 12:14 PM, Richard Bejtlich <span dir="ltr"><<a href="mailto:taosecurity@gmail.com" target="_blank">taosecurity@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm glad you thought it worthwhile to analyze whatever you analyzed,<br>
but after our report was public, the heads of the House and Senate<br>
Intel Committees, NSA, and others I won't name, said Mandiant got the<br>
attribution correct.<br>
<br>
Sincerely,<br>
<br>
Richard<br>
<div class="HOEnZb"><div class="h5"><br>
On Mon, Mar 24, 2014 at 11:30 AM, J. Oquendo <<a href="mailto:joquendo@e-fensive.net">joquendo@e-fensive.net</a>> wrote:<br>
> On Mon, 24 Mar 2014, Richard Bejtlich wrote:<br>
><br>
>> On Sun, Mar 23, 2014 at 11:24 AM, Moses Hernandez <<a href="mailto:moses@moses.io">moses@moses.io</a>> wrote:<br>
>> > Dave,<br>
>> > Quick Q: You referring to this particular statement (I paused it):<br>
>> ><br>
>> > Highlights - Technical<br>
>> > - In over 97% of the 2,672 separate APT1 intrusions Mandiant observed (into 141 companies), APT1 used IP addresses registered in Shanghai.<br>
>> ><br>
>> > So that statement tells me that those are just the APT1 intrusions not all of the Mandiant referenced intrusions. APT1 itself is said to use IP addresses registered in Shanghai. Is that by itself clever misdirection? Maybe. Are there other 'APT' style groups that go undetected from various nations?<br>
>><br>
>> Moses is right. Dave misunderstood what Kevin said. Also, APT1 is only<br>
>> one of two dozen or so Chinese groups Mandiant tracks. We also track<br>
>> Russians, etc.<br>
>><br>
><br>
> With all due respect to your researchers, colleagues, etc,<br>
> I took your APT1 data, ran it through all sorts of analysis'<br>
> all sorts of recon and I could not for the life of my come<br>
> to the same conclusions that you guys did.<br>
><br>
> All your data run through Sentinel Analysis<br>
> <a href="http://www.infiltrated.net/aptredux/" target="_blank">http://www.infiltrated.net/aptredux/</a><br>
><br>
> There is no voodoo, dirty tricks there, its all recorded<br>
> for all to see. Here is a mind map of all of Mandiant's<br>
> data:<br>
><br>
> <a href="http://infiltrated.net/straggler-f211596a8ac0cac13983ad2b98a71108/straggler-mapped.html" target="_blank">http://infiltrated.net/straggler-f211596a8ac0cac13983ad2b98a71108/straggler-mapped.html</a><br>
><br>
> 70% plus, were mapped to one industry, not CN government.<br>
> Did you guys (Mandiant) omit some secret sauce, because I<br>
> still have a difficult time piecing together how - outside<br>
> of an IP address, and one name (UglyGorilla) - you guys<br>
> can even attribute this to CN gov.<br>
><br>
><br>
><br>
> --<br>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+<br>
> J. Oquendo<br>
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM<br>
><br>
> "Where ignorance is our master, there is no possibility of<br>
> real peace" - Dalai Lama<br>
><br>
> 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF<br>
> <a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF" target="_blank">http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF</a><br>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</div></div></blockquote></div><br></div></div>