Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Mandiant Mtrends Report - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mandiant Mtrends Report

Once again a lazy weekend to catch up on some reading.  One of the items that came across my email in the last week is the Mandiant Mtrends report.

Mtrends is a fairly concise report on Mandiant's view of the Advanced Persistent Threat (APT).  If you are not familiar with the term, APT refers to organized groups of  professional hackers who have been targeting corporations and governments around the world.  Mandiant has a unique perspective into this issue as one of  few incident handling companies who have been on the front lines of the fight against the APT.

It does require registration to get your copy, but it is a good read.

I have my views on this report, but for those of you who take the time to read this report I would be very interested in your view of this threat, and Mandiant's report.  In your view is this a realistic appraisal of the situation, or just more FUD (Fear, Uncertainty, and Doubt) added to the pile?  Please provide your feedback via commenting to this diary or through our contact page.

-- Rick Wanner - rwanner at isc dot sans dot org

Rick

290 Posts
ISC Handler
My initial impression is that the entire executive summary sounds like a sales pitch. It's not helped by the fact that the report is sent from a Sales Operations Manager. I'm sure the threat is very real. However, after reading it I feel like I sat through a sales pitch at a vendor conference.

They also repeatedly point the finger at China and hint that it may be government sponsored but offer next to no details aside from "issues stemming from current events in China." Perhaps that's beyond the scope of this paper.

Just my initial feelings. I'll give it another read later on.

Anonymous
One thing I want to question is the time stamp on DNS information changes for malicious domains/IPs. From what I've seen malicious domains/IPs change a lot faster then Day 34 (usually within a week or two). Does anyone else have a rough estimate of information changes? Or is what I have seen an anomaly?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!