Federal Friday - 4.18.14 - Mandiant Trends and the Federal Cyber Brain Drain

Blog Post created by jschim Employee on Apr 17, 2014

Happy Friday, Federal friends. Hopefully all of you are though the post-Heartbleed hangover with very few scars to show for it. I don't know about y'all folks further south than Beantown, but I FINALLY get to do my finest Payne Stewart impersonation as I hit the local links for the first time this season tomorrow morning.


As some of you may have seen, a new Mandiant trends report was released last week as a follow-up to their report on APT1 in February of last year. This is a great read and I encourage all of you to take a look, especially since it is more high level than last years. The report breaks down the behaviors and trends it has seen out of global cyber-groups that are both politically and economically motivated. What I found particularly interesting was the groups persistence and growth throughout the year, and the clear break for most groups between politically motivated and financially motivated attacks. While large retail breaches dominated the year-end news cycle, with the majority of those attacks emanating from Russia and Eastern Europe, the politically motivated/focused attacks were seen coming from the Middle East (SEA, Iran) and our old friends in China (APT1 & APT12). Keep in mind, that politically motivated attacks don't necessarily mean that Agencies are the targets. Related industry (specifically their IP info) and 3rd party vendors are targets as well. I've talked about the ever changing tactics and threat vectors and the report notes the changes in behavior from the groups in China. Once this was published last year, these groups had some limited activity before shutting down for up to 150 days while they changed their systems, tactics, and processes that were highlighted.


What does this all tell me? When threats are shared across industry, and individuals as in the case of Heartbleed, we change our security practices to thwart the given threat. Attackers, as seen in APT1 and APT12, do the same thing with their procedures and practices as well. While our changes are to defend, their intent is obviously to attack and cover their tracks so they can stay hidden within these networks for the longest time possible.


Adding to the challenges that were highlighted last week in Mandiant's report comes an article from DefenseNews.com regarding the continued migration of talent to the private sector. As noted in the article, the disparity in pay and benefits between the private and public sectors continues to grow. SINET, who was featured in the article, said they see this trend accelerating and they are a group designed to bridge the gap between the sectors. With no real pay increases handed out to Infosec professionals within the fed over the last few years the upside from the private sector can be very tantalizing. That being said, companies like SINET are looking to make sure the experts leaving the government are still available to be tapped into once they cross over to the other side. SINET's goal is to point out the differences between what companies like Google are doing vs. the Pentagon. Google is more likely to take risk in advancing it's security posture, either by embracing new technologies, processes or both. Meanwhile the Pentagon, on the other end of the spectrum, is more conservative in it's approach and less likely to push the envelope the same way Google will. Understanding that SINET's goal is to evangelize and preach to making some changes in order to keep some of these talented folks in house.


But John, you're saying, it comes down to money!! You may be right, but take professional sports as an example. You get these "free agents" every year that will always go after the money and there probably isn't anything we can do about that. However, there is that other subset of "free-agents" that are more concerned about succeeding, winning, and loving what they do over straight cash. While their compensation can be deemed more than adequate according to management, by comparison to other top talent, they are under-paid. These are the folks that will respond to new and innovative processes and procedures, and the folks that you can keep in house by breaking the monotony that can be security. While most fed agencies will never match Google's ability to be on the cutting edge of innovation, there are steps you can take today. Continuing to challenge your employees to be innovative and testing their skill sets through cyber-exercises and continued training are good examples.


Finally, on a weird segue, an article that I saw on Quartz caught my eye. Simply put it's titled "Four ways to tell if you're being recruited to become a Chinese spy." While this isn't based on a federal employee it does involve a young man in his mi\d-twenties that was approached while abroad by a group to give him money and career advise. While pretty much everyone I know would've sniffed this out early on as being a suspect deal the fact that it happened to a real person speaks volumes and given the meat of the two-previous topics this week could make this conceivable. That being said, the 4 points below you should keep an eye on - just in case.


  1. Intelligence officer just wants to be friendly
  2. People give you business cards with just a name and number
  3. Everyone seems really interested in your future
  4. People give you money for nothing  .


Not everyone who seems genuine is who they say they are, both in person and on the information superhighway. Be vigilant, trust but verify. Wouldn't you agree, "Doctor?"