Comparing the New APT Report With Webpulse

When you’re touting technology like Blue Coat’s Webpulse with Negative Day Defense, where you claim you’re protecting users well before an attack actually happens, it’s sometimes hard to have proof points to show you’ve been protecting an organization all along (even after an attack goes live), that you’ve been successful in preventing that attack from doing any damage.  Our malware research team does a great job of describing how we’re successful in protecting users from all sorts of malware in the many blog posts here, but sometimes it’s useful to compare ourselves against outside data.

On February 18, 2013, Mandiant, a cybersecurity firm made headlines after releasing a detailed report on APT1, their name for APT activity by an organized hacking and cyber espionage group from China.  What perhaps made this report unique compared with many of the malware reports from other cyber security firms was the amount of detail that Mandiant included in their report, including items like the domains used in the attacks, along with MD5 hashes of malware, Indicators of Compromise (IOCs) containing descriptions of over 40 malware families, and 13 X.509 certificates used by APT1.

When reports like the one from Mandiant come out, it’s common for Blue Coat customers to ask our opinion of the report, and find out whether our analysis of malware has had similar results from the other malware research team. The report provides a lot of detailed info that is valuable for security folks who are tasked with keeping digital assets safe.  It's also consistent with the APT material Blue Coat has been producing over the last three years. So, after a few requests came in from our customer base, we did our homework as well. 

Since the Mandiant report included a list of domains used in the attack, we were able to compare that list to the domains we are currently blocking with Webpulse.  One of our analysts went through the hundreds and hundreds of URLs in the report, broke them down to root domains, and  was then able to report that we are already blocking about 80% of the malicious domains listed (Webpulse had them rated as Malware, Botnet, or Suspicious) in our database. (And of course we promptly added the remaining domains.)

Blue Coat’s Webpulse blocked 80% of the malicious domains found in the Mandiant report at the time of the release of the report (and 100% now). That’s a statistic we’re pretty happy about given the threat was specifically an APT and not a more general malware outbreak.  Webpulse is a layer in the multi-layered defense that Blue Coat provides, and one of the more important ones as it eliminates a large portion of the malware threat before web requests go to other layers of protection like anti-malware scanning and DLP.

APTs remain a challenge, with no silver-bullet solution (since they're not a malware or single-technology problem). Customers need the visibility into shady or unusual traffic that they can get from Blue Coat products like ProxySG, PacketShaper, and Reporter.  Many kudos to Mandiant for their really cool, detailed, and useful report, and we hope it encourages other companies to publish similar reports when they come across new malware and threats.

[Author's Update 2013-03-08 14:50 PST:  After some more detailed examination of the data, the research team determined that Webpulse had 94.85% of the domains listed by Mandiant already categorized at the time of the release of the report as either Malicious Source, Malicous Outbound Data or Suspicious.  This number is a bit higher (and better) than the original 80% figure which was described by the original analyst as a "quick finger to the wind" estimate.  Out of the remaining domains, 3.39% were categorized as Placeholders, and 1.78% were uncategorized.]