An Intel Analyst’s Key Takeaways from M-Trends: Beyond the Breach

It's been a few weeks since we released the 2014 edition of M-Trends. This year we explored a number of diverse threat actors pursuing widely varying objectives, and what that activity means for our clients and businesses more broadly.

When we stepped back to reflect, it really hit home that cybersecurity risks are an enduring reality for all manner of organizations. From a large state-sponsored effort to engage in worldwide IP theft, to a small group of hacktivists spreading a regime's propaganda, and everything in between, this year was a boon for intel analysts. For this blog post I'm going to tease out just two takeaways from M-Trends from an intel analyst's perspective:

Tenacious APT: Still Putting the "Persistent" in Advanced Persistent Threat

After the high profile exposure of China-based cyber threat groups in early 2013, we saw two of these particular groups (APT1, linked to PLA Unit 61398, and APT12, also assessed to be China-based) pause their operations for longer than usual. We see ebbs and flows of targeted cyber threat activity around certain Chinese holidays, one of which occurred at roughly the same time as the APT1 report (Like any day job employee, these actors take vacation, too!). But, this time, they took more time off than we typically observe, while eventually returning to their normal operating level. The only shift we saw was in their infrastructure.

Whether they paused their operations for a while to just to re-architect their infrastructure, as the result of some kind of political directive from above, or some combination of the two, we can't be entirely sure. It's not unexpected that these two groups wanted to try and evade detection by security researchers to continue stealing information, but overall, the same tactics these threat groups use to compromise networks and steal data haven't fundamentally changed.

Our findings underscore these targeted groups' determination. They remain undeterred from conducting wide scale data theft despite being outed by security firms and researchers very publicly, and in great depth. Public "naming and shaming" didn't deter or profoundly alter their conduct, and neither did the issue being escalated to the top echelon of diplomatic relations between the U.S. and China. Unfortunately, we don't expect this problem to go away any time soon.

Characterizing Actors' Capabilities is Only Part of the Story: Intent and Impact Matters, Too

Traditionally, the role of the intelligence community is to make informed judgments about the data at hand, without saying anything prescriptive. As intel analysts in the private sector, we have a bit more leeway in conducting our work and defining our role with our clients. Sometimes we merge the "traditional" discipline of intelligence analysis with consulting, risk and impact analysis -- but at our core, we communicate the risks to our clients posed by cyber threats to help them make the right decisions.

As part of our work we regularly characterize actors' capabilities in talking to clients about the threats they face. Many people assume that they should care "most" about advanced threat actors, without fully recognizing that actors with a range of motivations, and yes, capabilities, can result in a variety of impacts. For example, in this year's M-Trends, we wrote about the havoc the Syrian Electronic Army and suspected Iranian threat groups inflicted on customers. Neither of these groups' capabilities (that we saw) could be characterized as "sophisticated" or "advanced" by any stretch of the imagination. But that's not the point. Their activity resulted in a business impact - whether it was taking over a company's Twitter feed to spread a political statement, or engaging in rudimentary network mapping and haphazard data theft. These incidents may not have put a company out of business, but the responsible actors were still able to exact pain on their victims, if fleetingly. That's the type of pain we as analysts want to help our customers avoid.

In addition to thinking through threat actors' capabilities, looking at actors' intents matters, too. In fact, the same actor may harbor multiple intents depending on the surrounding circumstances and their level of access. In the Iranian threat groups' example, the same access that might be acquired from exploiting a vulnerability and accessing a system to steal files could also be leveraged to commit destructive or destabilizing acts should tensions increase with Iran. As intel analysts, it's our job to game out all the permutations of the threat actor, their intent, and their capabilities fully understand the threat landscape.

We hope you learned as much from M-Trends as we did over the last year revisiting what we saw on client sites!