(upbeat music) (applause) - Good afternoon. They told me I couldn't start speaking 'til I'd reached the X. So, here I am at the X. Great to see you, I have 24 1/2 minutes to give you an update. I'm gonna talk about three things, because the Air Force trained me that every presentation only
has three things to it. I'm gonna give you an
update on the APT1 report and the behaviors that we've seen from PLA unit 61398 since
we released the report. For those of you that
haven't read it, which is about 98% of you, I'm
gonna tell you what was the dialogue in that
report, and then we'll end with some conclusions on
lessons that we learned during responding to breaches in 2013. On the refresh, basically
what happened about a year ago today is we released the report,
but predating that report the New York Times was
compromised in the fall of 2012. During that compromise, the
investigation by Mandiant led to the revelation that
there's Chinese hackers breaking into U.S. media. And specifically in the cover
page when this was released on January 31 of 2013, the New York Times did an interesting thing. They (a) went public about the
breach, and the second thing they did is said, and
some consultants think this is the Chinese military. So a little bit of a
baiting that, hey, this is the Chinese military that
did these intrusions, and that's a very interesting
fact, because in general throughout my career, when I
first started in the Air Force, government entities generally
hacked government entities for purposes of security. Government entities do not
hack the private sector to learn what the media
is up to, or doing. So here was the response,
the response to that claim by the New York Times that
the Chinese military had hacked them was, that it is
unprofessional and groundless to accuse the Chinese military
of launching cyber attacks without any conclusive evidence. And I agree. It is unprofessional and groundless, if you don't have the evidence. So when you get charged
with something like, Hey, the Chinese military
is compromising people, in general the response coulda came back, Yes, we are--but nobody
wants to say that--or, No, we're not. And whenever you get an answer
like this, which is what I call truthiness, you
know, it's sorta true, it's a true answer,
it's obvious to me that in fact the Chinese
military was behind it. And we knew that anyway. So our response to this was,
okay, let's show the evidence. And the evidence was in the form of about a 60-something page report,
3000 different indicators, 141 different victim companies. And we'll step through that. When we released this
report in February of 2013, there's a couple reasons why we did it. First, we took our
nomenclature at Mandiant of of APT1, and we linked
it to PLA unit 61398, a military unit with
people in uniform being charged to compromise
private sector entities. We released also 3000 different
indicators of compromise, meaning bad domain names,
bad IP addresses, and basically the C-2 infrastructure
of APT1's backbone, where they launched the attacks. Five-minute video just
to kinda show you, hey, here's what the attacks
looked like, because we had responded to 'em so much time. And, I wanna tell you why we did this. Why we released this report. And there's about 10 different reasons, but here's a couple of 'em. First and foremost, there's
a general intolerance in the the C-level across
the companies that we've been responding to. Over the last 10 years,
we've responded at Mandiant to hundreds of different
computer intrusions, by this unit, in fact 141 of them. And as we've responded
to them, you could feel frustration brewing,
because all these companies are spending not five million,
but 10, 20 million dollars every year on their security
infrastructure, but they're still getting compromised, and
it's kind of an unfair fight when you have the government
being resourced, and then picking on the private sector. It raises our cost of business,
adds to this frustration. So first reason, C-level frustration. We gotta do something about this. Second thing is as we
respond to all the breaches that matter at Mandiant, what
we learned is we only answered two questions at the end of every breach. What happened, and what to do about it. That was it, over and over again. What happened, what do we do about it. What happened, what do we do about it. And as we responded to these breaches, we started learning what
technologies worked, what processes worked, and
what people needed to know to adequately detect
and go from alert to fix in under 10 minutes. And here's the reality:
there's no silver bullet. There's no technology that we could buy, no pill we could swallow to
make this problem go away. Fine, let's try something non-technical. Let's see if there's a
diplomatic way to approach this. So after 10 years of responding
to Chinese intrusions from military units
into the private sector, we decided, let's elevate the dialogue. Let's see if a back-office
conversation can make rules of engagement work here. So we released the report--
another, third reason actually, besides-- and
the first one again, C-level frustration, second
one: no technology's working, let's try a non-technical solution. Third thing is we had a
bunch of ex-military folks at Mandiant that were
tracking this for a long time, and quite frankly everybody knew the Chinese were doing this, but nobody could really talk about it. So we had to get that out in the open. And I think the final straw is, as I was editing this report,
the state of the union happened, last February, and the president of the United States said,
we've gotta do something about gun control, because of the
horrible things that happened in Connecticut, over a year ago. We have to get more jobs,
and do something about jobs, cause every state of the union talks about getting more jobs. And then the third topic was,
and we have to do something about the cyber espionage
campaigns against the United States, and all
the intellectual property being stolen. So we released the report for
a bunch of different reasons. But let's elevate the dialogue. Specifically when we released
this report, we absolutely at Mandiant only knew the lower bounds of what PLA unit 61398 had done over the last seven years. We had responded to 141
different victim companies, and every time we tracked
these intrusions at these 141 companies, the technical
evidence brought us to Shanghai, and the anecdotal
non-technical evidence brought us to Shanghai. So let's take a look at some of that. To me, 97%'s an A. 98%'s an A+. At the end of the day as we
traced these attacks back, 97% of the time, you know,
we responded to 2672 separate intrusions, the IP addresses
went back ultimately to IPs registered in Shanghai. When we looked at the command
and control being used, there's about 97% of the time as well. And the neat thing about
most intrusions is as soon as a bad guy breaks into your
network, they try to get valid user IDs and passphrases,
and they use them. In fact, 100% of the
incidents that Mandiant has responded to in the last
24 months, the bad guys did get user IDs and passphrases,
and then they used 'em. But when you use the remote
desktop protocol that comes with Microsoft Windows, you
actually set your character keyboard setting in the protocol itself. So if someone's sitting
at a Cyrillic keyboard, and they're doing an RDP,
we can say, Hey, whoever's hacking us, or logging in,
is at a Cyrillic keyboard. In this case, 97% of the
remote desktop sessions were in fact set to a mainland
Chinese character set. So that's just the technical gibberish. Let's get to the non-technical, which are a little more obvious. As we Googled the internet
for Chinese character set 61398, PLA unit 61398 and a
few other things, we would find résumés that would
just kinda spout up and then go away. And when we checked out these
résumés, some of these résumés are from students that
said, Hey, I used to work at PLA unit 61398, and while
I was there, I did computer network coperations, I
compromised institutes and organizations in the West, and
it was a fun job kinda thing. And then we also found
résumés that said, they wanted to work there. And we found a lot more
anecdotal evidence than what we shared in our report. But when you're the CEO of
a small company and you're about to accuse the largest
country in the world of doing cyber espionage
rather directly, you may wanna dial back that evidence so
that there's no pie in the face of anybody, and you leave
plausible deniability. The document you see there,
if you had it translated, would just read, it was an
agreement between PLA unit 61398 and Chinese telecom to put all
the bandwidth into a building that looked like the one
I showed you a slide ago. So who do these guys target? Every industry. You can go through
this, this is 141 plots. Someone out there's counting the dots real quickly right now,
and you're not gonna finish before I change slides. But there's 141 dots,
21 different industries, actually I think it's 20. And in a way this is totally
misleading, because the whole infrastructure that
PLA unit 61398 used to launch attacks into these 141
companies were in fact in the Western countries as well. So there's another real 3000
victims you can plop up here if you wanted to. But these are the companies
we saw data exfiltration from. So they hacked everyone. They hacked everywhere. You know, here's a globe picture, cause everybody likes maps this
late in the afternoon. So they did it. And I don't have enough
time to give you more of the evidence, but if
you wanna read about it, we had a 60-something-page
report about it. How did the Chinese government respond? And this is the important
part about today, is when we released this
report, we were hoping we'd see behavioral change. The problem is, two days
before the president of the United States met
with the president of China in California, the Prism
documents leaked to the press on that Wednesday. On that Friday, hours before
the two heads of state were going to meet to talk
about this cyber espionage, Snowden leaked, and I'm pretty sure that put a damper on the discussions. So we didn't get impact there. We really are strong
supporters of the legislation that says let's share threat intelligence. You saw both prior speakers,
the Cicso folks as well as Quaalus, said sharing threat
intelligence is important. Hard to do that if you share
with somebody, and there's a punitive step against you for sharing. I don't think that'll
happen, but if you incent sharing of information with
a safe harbor, everybody can ultimately potentially be
as secure as the company that unfortunately got compromised. If we can learn from that single
compromise and disseminate the knowledge quickly, we all
benefit from the compromise. Right now with current disclosure
laws, virtually nobody's benefiting from current
compromise, and the company that has to disclose is getting penalized. Anyway, we tried to elevate
the information sharing dialogue by sharing 3000
indicators that were immediately actionable. You could plug in the--
in fact, we even gave 'em in electronic format. Look for all traffic to these IP address. Look for all traffic to these domains. Go through your log files,
do something about it. And when we burned PLA unit
61398's infrastructure, on the last day of the
Chinese New Year, right before they came back
to work from vacation, you can see in the slide,
and it's not up there, so if you can that slide
back up, I'll show you. There's a demarcation line. What we plotted in this,
and the dates didn't show up when we transferred the
slides, but over on the dots to the left there's a whole
bunch of dots on where the Chinese PLA unit 61398
was doing their C-2 from. So every time they'd
compromise an entity, they were using these domains, these IP addresses. We released our report
right here, and guess what? We did alter their behavior:
they never used any of that infrastructure again. Okay. But what we also did is
created a whole bunch of new victims, because they built up their new architecture, or
infrastructure to compromise somewhere else. So that was the effect we
had, which was a temporary hiatus, or potential loss of
visibility in what they did. End of story, is that
they're still doing it today, it's not gonna go away. So now we have a nation
state sponsoring intrusions into what we'd call the private
sector here in the West. So conclusions when responding
to incidents in 2013, and really over the last 15
years of my career, here's some of the things that I've learned. When you compromise a lot
of countries, there are no risks or repercussions. Some of the attacks that we're
seeing today when it comes from Russian criminal
entities are the same people that we were responding
to in 2003, 2004, 2005. So if we had a way to go
from electronic evidence to grabbing the people and
doing something about it, it probably woulda had some impact. Quite frankly, it's still happening today. Safe harbors do exist. People can hack other countries without risks or repercussions. You can commit crimes
from 6-10,000 miles away. Future conflict's gonna
have a cyber component. We learned that in 2013. In August of 2013 the United
States was considering potential armed steps in
Syria based on the use of gas in Syria, from pro-Assad
troops against rebels. Okay, we're thinking of a conflict. The response to that impending
potential armed conflict was computer intrusions. First into the western
media, to figure out who's leaking all the conditions
of what's going on in Syria to the western media, let's
break in and figure out who that is. So it's a way to pierce anonymity
behind some of the folks who are the sources of information. But second, you see some of
the threats that were made. If the USA launch attacks on
Syria, we may use methods of causing harm, rather than
just the attractive nuisances of doing things like
tweeting, "President Obama was hurt in an explosion." So, most people noticed the
Syrian Electronic Army last year if you're a part of
this security community. And you think, that's just
an attractive nuisance to tweet things like this. But the more sinister purpose
behind these intrusions were in fact to figure
out who's communicating with western reporters. Hard to stop those attacks. I don't have time to
go in the detail of it. But I think the Syrian
Electronic Army actually had a smart way of doing their intrusions. Vulnerability has been human,
in my opinion, since 2003, meaning when attackers target
a network, they're targeting the humans that work
behind your safeguards. Everybody's heard the MOTE
analogy, it still applies. You can think about back in
the late 90s to early 2000s, all this standards legislation
and regulations popped up, that hodge-podge of ways to benchmark your cyber security program. We raised the watermark
and we got better security for internet-facing systems. Vulnerability management,
patch management. All the things that we did. As we hardened that eternal shell- (clears throat) Excuse me, people started
targeting that avenue straight to your people. Let's Skype somebody and
get 'em to click on a link. Let's e-mail somebody and
if they open up that PDF document or Office document, we can compromise their machine. So the attackers are still
targeting people today, and you can feel us scrambling
around, trying to find a way to prevent that. The people surface is a
large surface to attack. It's also made security
a decentralized problem. We harden the exterior, now how do we harden beyond our borders? Unfortunately, cyberspace is absolutely asymmetrical right now. Meaning, the attackers
have all the advantages. And I always hear, the
attackers are smarter, I don't really think that's true. It's just so much easier
to shatter crystal than to shape it, right? Same thing in cyberspace. Quite frankly the defenders are trying to defend hundreds of
thousands of machines, while an attacker is just
trying to break into one. That's not a very fair fight. Second thing is, what we're
using to defend our networks as we bring security software
to everybody, they go, Did you QA this, does it run
on 18 different operating systems, is it inoperable
with 5000 other things? We actually can't develop
the defensive software as fast as the offensive
software, which is not QA'd, simply works, and let's
run it real quickly and get it out there. So, just the nature of the
business offense is always going to be a little bit more effective. I've shown this slide for a
long time, and a lotta people say that simply can't be true, so I'll try to explain it this way. I think it is true, for
the attacks that Mandiant responds to, I believe if
you're an F in cyber security, or an A in cyber security,
the attacks have the same chance of being successful,
because the attackers we respond to will elevate or escalate their sophistication to break in. If you're an F in cyber
security, and someone hacks you, you just won't know about it. You'll never find out,
and ignorance is bliss. You'll be like, woo! Nothing happened. If you're an A in cyber
security you're getting dynamic threat intelligence,
you have signature-based detection, you have
signature-list-based detection, you have custom-based ways of
finding evil on your network, and at the end of the day,
if you are compromised, you're aware of it, you
go to alert-to-fix in a reasonable time frame, you
eliminate the consequence of the breach, and most
breaches are limited to a single host. And there are companies that got here. It's hard to get there,
it's expensive commitment, but we're rounding the
corner to make that more effective and affordable. So the moral of the story is
if you're an F in security you're gonna get compromised, period. People who come up with
cyber-com levels, and threat score levels, and
at the end of the day, if you can be compromised,
you will be compromised, cause we can automate
this, and if you're an F you'll never be aware of it. If you're an A, you're aware
of it, you have great people, and you pounce on it
like the amoeba defense. The liabilities are exceptionally high, and they're still high, and I've seen this throughout my career be like a sine-wave. There are years where literally
if you get compromised and you know it, the
liabilities just seem less. Right now they feel high
again, and I'm seeing people get compromised, and
the entities within days of being compromised are
coming public and saying, I am truly sorry that
somebody stole things from us and victimized us. It is one of the only crimes
when somebody hacks in, in fact it's the only crime
I can think of where you have to apologize for being a victim. And it's getting that way
again and it's startling that it's gotten that way. But either way, because
of the consumer protection and consumer disclosure
requirements, what we've done is made a very technically
complex thing--responding to an intrusion to
determine what happened--now non-technically complex, cause now everybody's a stakeholder. Insurance companies,
managers, inside counsel, outside counsel, credit card companies or the card brands, your
partners, all the contracts and agreements you have
with everybody you do business with, and you start
responding to these things and realize, you better
get someone who knows how to navigate the landmines,
because some of the stakeholders, when you're disclosing, and
you're creating information to share, actually have
conflicts of interest. So it's pretty neat. You have to figure out
what you need to share, when you need to share
it, and who you actually need to share that information with. Very complex environment. I've witnessed in my
career, but I have a skewed viewpoint, because we
respond to incidents, that almost every time a company
gets compromised, they say, all right, we're gonna
transform our security, and we're gonna do all
these other things now. And as companies start doing
those others things, I've witnessed a victim mindset erode. When you're a victim of a cybercrime, your diligence skyrockets. You feel violated. You feel kinda icky, kind of. And you say I gotta do
something about this. You hire people, you
expand your team, you buy a bunch of tools, and
you aggressively start combating the attackers
that are trying to break in. And six months later, you don't think it's gonna happen again. Some companies they get
in a battle rhythm, cause they keep getting compromised,
some actually just go, you know what, we don't
need to do all this stuff anymore, the threat's
gone down against us, we've proven it. And you see that victim
mindset erode over the course of probably about two years. And everybody's security
tends to be a sine wave. They get really, really
good, and then they start dipping down a slope. And a lot of times when you
get good at cybersecurity, your best people start to leave. They start realizing we can
go here and here and here, cause you don't have enough folks. The vigilance fatigue is,
you know, when you're a boxer and you're guarding your
face, over time you just let your guard down. And bad guys will adjust
to everything you do. So if keep extending that
Maginot line of defense, we at least can predict
where the intruders are gonna go to, and how they're gonna
break in, and try to put visibility on that, but our
mindfulness on inspecting that visibility goes down over time. So what do we do about this? Cause I always feel like, boy, I give you a lot of bad news. Thinking about the mindset,
security breaches happen. I used to say security
breaches are inevitable. I first said that in 2004,
when I started a company called Mandiant, and
everybody went, no, you are absolutely wrong! And it does feel defeatist,
and I don't mean it to sound that way. So I'll just say it this way:
security breaches happen. (light audience laughter) Just like other things. That's fine when they happen. I say it is our goal as
security professionals to reduce your target
area to whatever your risk profile happens to be,
but always realize that if there's a way to break
in, people are going to try to exploit it. Lotta times when I talk
to CISOs and people at security conferences, I always think, leave the conference
with the idea of let's figure out how we can
break into ourselves, because if there's a way
to do it, someone may find it, and then monitor the heck out of it. And then, let's adopt the
philosophy of, if a breach does happen, instead of
saying, Geez, I'm really sorry, sorry world, someone
robbed me, it was my fault. I mean, we are responding
to hundreds of companies that've been compromised,
and a lot of them have a B, B+, A- in security. And when I see the attacks
I'm thinking to myself, how would we have prevented this? So there's sometimes the
mindset of, Oh, they must have done something wrong, and
that's why they got compromised. But in an operational environment
with 200,000 employees, it's a real tough job being the CISO. So think about, if you do have a breach, go from alert-to-fix in 10
minutes and eliminate the impact. And I will always brief
this because I'm trying to eliminate the load on
your backs because at the end of the day, your
security posture wanes without the security
people even knowing it. At most companies, IT
operations is way out in front of provisioning things than security. And the security guy's
always chasing things down, saying, What, we put 300
applications online last month? What, we have 2 million iPads
on our network right now? What, we just hired 172
employees in the last two weeks, and they all have new desktops
and we don't even know the image for 'em? I mean, at the end of the
day business moves far faster than the security team that's trying to secure what we're provisioning. So: security breaches will
happen, it is our goal to eliminate the impact
and continue to evolve, and that's why coming to
this conference is great. We get to see all the new
technology and innovation that's gonna address this. I'd like to thank you for your time. I appreciate you being here. (applause)
