Dropping DOX on APT: aka Free Lessons on OPSEC!
“And gentlemen in England now-a-bed
Shall think themselves accurs’d they were not here,
And hold their manhoods cheap whiles any speaks
That fought with us upon Saint Crispin’s day.”
“Prince Hal” Henry V Act 4 Scene 3 ~William Shakespeare
Stuck in The Middle with APT and YOU:
If you are like me then you too have to look at the feeds from FireEye, Crowdstrike, Mandiant, and others on a daily basis for my job. The job that I speak of includes fighting APT at times and having to keep executives aware of what is going on as well. Lately though, since the drop by Mandiant on the “China problem” (aka CN actors 1-13) there has been a huge uptick in reports that try to do the same thing, i.e. name and shame those attackers as a means to an end. That means to an end I feel 99.999% of the time is to garner attention by the media and to increase market share.
Others may have reasons that are more closely aligned with “America FUCK YEAH!” and may be well intentioned but misguided to my mind. I have seen the gamut of this and I too have played my roll in this as well. I have dox’d players in the Jihad as well as nation state actors (mostly wannabe’s) on this very blog and have watched as a pile of nothing really happened most of the time. These big companies though that sell “Threat Intelligence” seem to really mostly be driven by attention and marketing appeal for their services than nation state concerns in my opinion when they drop dox on B or C level players in the “great game” and sadly I think this is rather useless, well, in the great game that is, not in the bottom line of lining their pockets right? …But I digress…
Let’s face it folks, we are all subject to the great game and we have little to no power in it on the whole. The APT and the nation state will continue their games of thievery and espionage. The companies selling services will ubiquitously use their “insider” knowledge gathered from all of their clients DNS traffic to generate these reports and market them to garner more clients and we, the people at the end of and the beginning of this process will just have to sit by and get played. Sure, if you are running your program right in your environment and you are getting good threat intelligence telemetry at the least, then you can attempt to staunch the exfil flow but really, in the end that flow is after the fact right? The PWN has happened and you are just being reactive. From this though you feel a certain amount of angst right? So when some company drops dox on some third stringer in China you pump your fist in the air and say “FUCK YEAH! GOT YOU!” and feel good right?
Yeah… I have news for you. It doesn’t mean anything. It will not stop it from happening. In fact, the services you just paid for that just shamed Wang Dong just taught him a valuable lesson….
FREE OPSEC LESSONS!:
What Wang and the PLA just learned is that Crowdstrike offers FREE OPSEC TRAINING! If any of you out there believe that this will curb the insatiable Chinese Honey-badger they have another thing coming. While it may feel like a slam dunk it is really just a Pyrrhic victory in a larger war while it is really in fact a marketing coup. The Chinese don’t care and in fact all they will do is re-tool their exploits/ttp’s/C&C’s and learn from their mistakes to become more stealthy. Really, we are training the 3rd string to be better at their job when we drop all this stuff on the net. This is a direct forced reaction to their being outed instead of attempting to just share the data in a more covert manner within the IC community or other more secretive channels where it could be used effectively in my opinion.
So yeah, some PLA kids got a spanking and now they are known entities but really, this will not stop them from doing their job and it certainly will have an effect of changing their operational paradigms to be more subtle and inscrutable. While the marketing goal has been fulfilled I see really little other value in doing this ….unless there is a greater unseen game going on here. Some might imply that there is another dimension here and that may include disinformation or other back channel pressures by the government. In fact it was alluded to by the Crowdstrike folks that the government is fully aware and part of the whole “process” on these. So, is this also a synergistic tool for marketing AND nation state agendas for the US?
Eh… Given my opinion of late of the current Admin and the IC, not so much. Nope, I think in the end I will stick to the opinion that this is nothing more than marketing smoke and magic…
I hope the third stringers appreciate the free OPSEC lessons. I mean gee, the going rate for classes is pretty high.