Kevin Mandia, CEO of FireEye, delivered Saturday's closing keynote at CyCon U.S. Mandia offered five high-level observations about the current state of the cyber threat.
- Criminals face few to no repercussions criminals face for "hacking west." China, Iran, Russia, and North Korea all function as safe harbors.
- In 91% of the intrusions FireEye investigates, "victim zero was a victim of spearphishing." "I’m not aware of any spearphishing solution that detects everything," Mandia said. This kind of attack involves no malware involved. The attacker gets in by exploiting human trust.
- "Ongoing hacks do in fact reflect current geopolitical conditions. We're seeing more intrusions from Russia, now, than China. Chinese hacking does seem to be down, due to multiple factors." Mandia noted that they saw things change in Russian hacking over a period of about thirty days in 2014. Mandiant began to see counter forensics employed in financial services attacks, which suggested strongly that a nation-state was sharing infrastructure with criminal organizations. And then in one case, in September 2014, Mandiant was responding to Government organization that had been breached. "The Russians knew we were there, and they didn't disappear. Their doctrine changed, in my opinion. Don't stop, just keep going." And in responding to an APT 28 breach ("we don’t use fancy names") of a university, also in 2014, they found that APT 28 was stealing emails of anti-Putin professors. Mandia was "shocked" to see Russian state actors leaking documents they stole. "In Simpson's language, this is an irresponsible breach of the rules of the playground." It's odd behavior, and nobody knows what's real and what's spurious. With respect to China, then, the threat seems to be abating, whereas with Russia, the rules of engagement have changed in major ways.
- There are more disruptive attacks. "We've got our credit data secured a little better. Now, smart criminals are monetizing hacks through extortion of one million dollars in Bitcoin in exchange for not releasing sensitive corporate documents. You get a discount with Bitcoin. It's an anonymous currency." Mandia said it's difficult to respond to this problem. Mandiant has so far proven exfiltration of data in all of the cases it's investigated, but Mandia believes we may begin to see fake claims of data compromise in the near future.
- "We're seeing that disclosure's more probable today than ever." The attackers themselves are inclined to disclose. Very few people when compromised get the President to do attribution for them the way Sony did, but public attribution can go a long way to limit liability in a breach. Disclosure's more probable. His advices is to "get your arms around the details as soon as possible."
As a final thought, Mandia offered a partial answer to the question, hat does the private sector want from the Government? "If we get breached in a drive-by on the Information Highway, we'll take our licks." But industry would very much like the Government to say when a nation-state is responsible for a breach.