Embarrassing China with reports won't aid security

Mandiant report alleging the Chinese army launched cyberattacks is counteractive since China will now revamp its tactics to be stealthier, and security industry must re-evaluate its defense strategy.


The Mandiant report on Chinese hackers has no "value-add" to the security industry as adversaries potentially will now revise their tactics to become stealthier and the industry will have to re-evaluate their detection strategies. Many Advanced Persistent Threats (APTs) today also are evolving to target data modification instead of extraction.

Eric Cole, CEO of security firm SecureAnchor Consulting, further expressed concerns about the impact of publishing security reports which identify the source of attacks. He was speaking to ZDNet Asia Wednesday at the sidelines of SANS Secure Singapore 2013 held here this week.

Cole was referring to a report last week by U.S.-based security vendor, Mandiant, which alleged a building in Shanghai was associated with the Chinese military  and the source of an "overwhelming" percentage of cyberattacks.

"Now that Mandiant has publicly embarrassed the Chinese and showed how they are operating, they will be changing everything they do, going deeper and stealthier."
-- Eric Cole
CEO of SecureAnchor Consulting

While the report was "fascinating in the level of details it provided" and showed the U.S. it had a sophisticated adversary, Cole was concerned about its "value-add" to the IT security industry. Once an advanced adversary is shown what is known about the organization, it will change its behavior and method of operation, he noted.

"Now that Mandiant has sort of publicly embarrassed the Chinese and showed how they are operating, [the Chinese] will be changing everything they do, going deeper and stealthier," he said.

If the report had not been published, Cole added, the Chinese would continue operating the same way and the security industry would eventually identify ways to stop the attacks.

Publishing such reports would make things harder for the security industry, he pointed out. Whatever that is known about how the adversary operates will change, and the industry will now have to re-evaluate their attack and defense strategies in the future, he said.

APTs evolving from data extraction to destruction
Cole observed that, in the past, Advanced Persistent Threats (APTs) were focused on the extraction of data, such as intellectual property, trade secrets, and product designs. APTs carried out by the Chinese were focused on extracting military information to give them an advantage, he pointed out.

However, the mission of APTs has since evolved to the modification and destruction of data, he said. He pointed to Stuxnet and Flame as examples, noting that these did not extract data but instead modified data to bring down a system.

When adversaries succeed in stealing the targeted information, they would want to give themselves an advantage by modifying the data so it is no longer valuable to their competitors, he explained.

Cole further noted that many enterprises are still unclear about the definition of APTs and assume it refers to cutting-edge, state-of-the-art technologies aimed at breaking into systems. "It is overly hyped as an adjective  to describe everything in terms of corporation, but in terms of understanding what it does, it is under-hyped," he said.

He described APT as an advanced adversary which has a wide range of methods of breaking into a system, continuously targeting that system until it is successful. "If an organization is targeted, it [eventually] will be breached," he noted.

According to Cole, organizations can safeguard against APTs by focusing on outbound detection instead of just traffic coming in. This can be done by setting up a netflow, gathering data packets and analyzing everything that leaves the network, he suggested. With higher network visibility, companies can quickly spot what is in their environment, he added.