The most dangerous thing in the world is a Second Lieutenant with a map and a compass.

The recent excuse by FireEye and other technology firms that their stock is tanking due to China, not hacking is largely an unsupported and completely self-serving hypothesis. They offer no other hypothesis other than the one that gives them an excuse for selling products that do not work, for appeasing their stockholders and investors, and for delivering services steeped in see, detect, and arrest methods. FireEye bet the farm on typical perimeter sensors used to drive detection after the adversaries are in the client’s environment. They doubled down by buying Mandiant,wsj1 an organization focused on putting ‘butts in seats’ for incident response. That would be seats in your organization at a very high cost. Incident response, another function based upon a defeatist mentality using a “kill chain” that kills the adversary and/or the malware that has already penetrated the environment. Much like letting an armed burglar into your home out of fairness and then starting a shootout. Now we see a CEO change over that will surely drive the focus to more incident response marketing. Add that to the latest purchase of an overpriced iSight, a threat research firm that creates once and delivers many and you have a recipe for poor stock performance. Congratulate Mr. Waters on getting out when he did and seeing that an IPO was not in the cards. iSight has even been asked by some firms to build threat intelligence capabilities. Something completely anathema to iSight’s strategy and something they are not capable to deliver in the first place. // We know. We have cleaned up what they have left behind. // They are a research firm.  They create reports. They sell the same report to everyone.

The second part of their complete market arrogance is the statement (WSJ) that none of the 22 Chinese APT groups it tracks are actively attacking U.S. companies. So FireEye has wsj2.png


built this huge capability across the globe yet only tracks 22 Chinese groups? // If a tree falls in a forest and no one is around to hear it, does it make a sound? //  FireEye, CrowdStrike, Trend Micro, Checkpoint, Cylance, Palo Alto, HP, Symantec, and others continue to release reports on various groups they track. Do you really believe these groups will continue the same modes of operation once discovered? Is it not possible that the adversaries changed their protocols and tactics in response to the release of intelligence data on their actions? Is it possible that the archaic methods being used by these vendors will not pick up new methods laced with advanced tactics of denial and deception?  Is it possible that these vendors is not seeing activity because they are not as good as they claim they are? The absence of evidence does not mean the activity does not exist. Keep publishing reports on adversaries, tipping your hand on what capabilities you do have and they are bound to make some changes. I guess that is why you call them advanced. Actually, -advanced- this is cyber espionage so let us call it what it is.  Persistent only in the arrogance of such companies selling solutions that truly do not come close to solving the problem. Chest thumping and marketing reports serve to tip-off the adversary forcing them to become more devious instituting wholesale changes in their approaches.  Possibly to the point where you are not seeing the activity since you have not changed along with the adversary. // The enemy diversion you’re ignoring is their main attack. // We are at war. Who in war tells the enemy that their code has been cracked? That their tactics and methods have been discovered? Did the British divulge that fact they had cracked the enigma code? Of course not. They understood the value of intelligence and intelligence exploitation. They understood what was at stake. The cyber security market today is only interested in generating revenue.

Many organizations continue to purchase the perimeter tools and sensors of the FireEyes and Crowdstrikes. The company’s purchasing these products continue to lose data. Until we stop buying carpetbagger solutions we will not force change. We need to demand solutions that are truly preventive and predictive not based upon malware reverse engineering, or methods (kill chain) based upon see, detect, and arrest. // Professional soldiers are predictable; the world is full of dangerous amateurs. // We need to stop believing that companies with leadership trained only in law enforcement tactics truly understand intelligence tradecraft. We need to stop believing that companies with a pedigree in anti-virus understands intelligence tradecraft and offensive methods. We need to understand that stopping the adversary starts with not tipping them off.  We need to stop believing that just because they are a big company, they actually know what they talk about. They don’t. They are just tasked with selling product.

Understand the latest focus on ‘hunt and detect’ is merely an enhancement to the failed attempts at event correlation in SIEMs. Log aggregation and then analysis of the content for tactics, techniques, and procedures is but an improved method of finding adversaries and malware already in your environment. This is not proactive. This is not preventive no matter what the vendors tell you. It is necessary but  not new.

The adversary has changed yet the security technologies used to stop them are rooted in old and failed methods. Time to wake up and invest in something better.

One more area that needs attention are the actual reports coming out of these companies. They are not written in analytic form and format. They do not provide confidence levels. Most importantly, the market takes them on face value without citation of sources, reliability of sources, and credibility of the information. Even news organizations take them at face value. These are journalists who live and die by source and information validation. Actually, they should not be publishing these openly at all but if they must, then we must demand validation of sources. Otherwise, we run the risk of another Norse. It is always interesting when revenues drop and market share suffers, then suddenly a new discovery is made on an adversary resulting a new, unsubstantiated report.

“Never interrupt your enemy when he is making a mistake.”

― Napoléon Bonaparte

“Always interrupt your vendor when they try to sell you snake oil.”

― T71