Because I'm all about the "good enough."

Tuesday, February 19, 2013

Exercises left to the reader.

The Mandiant report on the threat group it calls APT1 has made a big splash, and deservedly so: the combination of juicy details and actual data such as IOCs (indicators of compromise) is another example of groundbreaking data-sharing around security breaches. Of course, the other side to the publication is its assertion that APT1 is Chinese in origin, and most likely a part of the Chinese government; this is going to provoke a lot of heated discussion.

I've seen some responses already from skeptics, casting doubt on the report's conclusions based on the fact that it didn't include any alternative conclusions other than two that pointed at China (operating either officially or unofficially). Before I get into my own opinion on it, I'd just like to throw out some considerations.

First of all, read the report in its entirety. The authors spent a lot of time connecting every dot they listed, with the proper amount of hedging words in place. Like other high-data reports such as the Verizon DBIR, this one included alternative explanations and caveats in many places. Follow the chain of logic and look at all the data presented before you start to poke holes in it.

Now let's think about some of the assumptions, either implicit or explicit, in the report's assertions. We can call out some alternatives, whether they're realistically possible or not. In no particular order:

Because of the scale of its operations, APT1 must be centrally organized and funded. 
Alternatives: it could be organized, but not from within China; it could be loosely affiliated without being centrally so; it could be using individually contributed resources.

Only the Chinese government has the resources for such an operation.
Alternatives: a very large company or extremely wealthy individual could provide the necessary resources; a different government could be providing them.

An operation that large in scale could not go unnoticed by the Chinese government; therefore it would be operating at least with approval, if not support.
Alternatives: it could be an operation outside of China, faking very large amounts of China-based IP blocks, domain registrations, and other indicators of origin (such as phone numbers); the Chinese government might not know about it, might be unable to stop it, or might simply not care to.

Bad English speakers that use simplified Chinese keyboard layout settings must be native Chinese speakers.
Alternatives: the APT1 group is very good at planting false flags using Chinese speakers (native or not) and using bad English.

Because the three revealed personas appear to be working together and sharing resources in the same geographic location, they must be working for 61398.
Alternatives: they could simply be three people in a social group or other organization that is also located in the region, or is using the same false flags.

Because this linked activity has been going on for so many years (with domain registrations starting as early as 2004), it must be using the same people, the same resources and be supported by the same central organization.
Alternatives: it could be the same people over time, but not affiliated with the same organization; it could be different individuals who "take the reins" and continue the same general activity.

Because APT1 is attacking industries listed in China's strategic five-year-plan, it must be furthering China's goals.
Alternatives: those industries could be on the strategic lists of a lot of countries, and the match with China could be a coincidence.

These are just the ones coming off the top of my head. Now, let's take a step back:

Would any one of these alternatives, if it proved to be correct, torpedo all the other assumptions? Or would a large number of all the alternatives have to be correct, and fit all the available evidence?

In other words, how probable do these alternatives need to be in order to supplant all these assumptions?

(This is my amateur version of an ACH, because I am not in that line of work.)

Now, bear in mind that the evidence laid out in the report may not be all the evidence; it might just be the parts that Mandiant feels are safe to disclose. So the evidence may be even more compelling than we know. Working with what we're given, it appears to me that unless you assume a large-scale conspiracy or an equally well-resourced organization that can fake being sourced in China extremely well (without the knowledge or cooperation of the Chinese government), the preponderance of the evidence points most simply to Mandiant's conclusion. To put it another way, an alternative conclusion would have to be supported by a larger number of less probable, more complicated scenarios that would all have to fit themselves to the facts even better than the China theory does.

It could be that the evidence in the report is either partially or wholly incorrect, or there's a bunch of evidence that contradicts it (and supports the alternative conclusions) that we just don't see. What other evidence would need to show up to do the trick? And how probable is that?

So it's kind of like insisting that the Moon landing was faked -- it would require a perfect conspiracy of silence from hundreds of people over decades, and more sophisticated special effects technology than we know to be available at the time. Sure, you could come up with an alternative conclusion that fits the same evidence, but you'd have to work a lot harder at it.

Would you rather believe that there's an extremely clever and powerful organization out there that is managing to look over years as though it's sourced in China -- without making any mistakes to give it away -- and that the Chinese government can't do anything about? Or would you rather believe that there's a long-term, Chinese government-approved hacking group that isn't perfect and has left quite a few clues behind?

There will never be an airtight case one way or the other, but these things aren't binary. From what Mandiant has presented, the simplest explanation is the one it's offering. It's politically explosive, of course, and that's why belief comes into play. But if you have to do more work to deny something than to accept it, you might want to reconsider your chain of logic.