Cyber-espionage is the “New Normal”: One on One with Mandiant’s Kevin Mandia

Blame China for cyber-espionage? The Mandiant CEO says go ahead, if the evidence points in that direction
Blame China for cyber-espionage? The Mandiant CEO says go ahead, if the evidence points in that direction

I jokingly asked Kevin Mandia, CEO of Mandiant, if his company specialized in investigating the Chinese government. “We just go with the intrusions are, and it just happens to be them”, Mandia replied, whose company focuses on security incident response and management. The response was tantalizingly unfiltered, which was a hallmark of the next half-hour plus conversation I had with one of the most highly sought after executives on the cybersecurity speaking circuit.

Following are some highlights from that conversation, which took place at the recent Infosecurity Europe conference and exhibition in London:

How did you first become involved in the security/cybersecurity industry?
It was the least bad of six choices that I had when stationed at the Pentagon in 1993. Literally I had six choices, and the other five were intolerable. The last one was computer security, so I chose that one. We had a mainframe security product we had to run – one of the few things we did for security back then, monitoring use and access – so it was my job. I was ordered to do it.

I then cross trained in the [US] Air Force Office of Special Investigations, where my speciality was cybercrime because I had a bachelors in computer science and my masters in forensic science. Twenty one years later, here I am…

What led you to leave the Air Force?
I left the Air Force at a time when a lot of people decided to – it was at a time when there was misalignment between what I was good at and what I was going to be asked to do. So I chose to leave, and my next job I spent training the FBI on how networks work, how to compromise those networks, and how to investigate those compromises. I wrote those classes and started training them from 1998 until 2013 as Mandiant, and those classes stopped because of the government sequestration.

How has the recent acquisition of Mandiant by FireEye affected your business and your role within it?
My job hasn’t’ changed – the job has always been to figure out what our customers need and provide it. I feel like I am still doing the same things that I was doing as the CEO of Mandiant, sitting down with customers and prospects, not as a FireEye guy, but as a security guy, and asking ‘what do you need, what are your challenges, what can we do?’ FireEye will be able to provide a lot of the answers, but not all of them. Yet, I still want to understand what does the CIO or CISO think, and what do they need? At the end of the day, I’m a cybersecurity expert first – it’s what I’ve always done and I get to do that with FireEye.

What about FireEye and its approach to security attracted you?
Right around 2008, as we were responding to breaches, we knew that FireEye’s products worked, and we would recommend them a lot. They had a web security product and they were just starting to offer their email security product. In every breach we were responding to (literally over 99% of them), the vector the attackers used – and it was usually the Chinese – was through email. We felt FireEye’s product would extend the Maginot Line and make it a lot more expensive and difficult for attackers to break in.

As we progressed in responding to breaches, I saw a pattern change. We use to get most of our work when the FBI knocked on the door at a particular company telling them they had a problem. That pattern started around 2003–2003. Around 2011–2012, instead of the FBI telling someone they had a problem, FireEye started detecting many of these breaches. It’s always a sine wave that alternates between self-detection and third-party notification of breaches. In 1998, everyone self-detected breaches, by 2003 they couldn’t. We are going back towards organizations self-detecting breaches because the technology has gotten better, and FireEye was that technology.

Mandiant’s expertise lies in breach investigation and response? What makes the company unique among its competitors?
I’ve always believed that you can’t secure everything all of the time, and that security breaches are inevitable. In 2004, we actually had on our website ‘security breaches are inevitable’, and that was a little ahead of its time. People thought it was pessimistic.

Responding to data breaches is the best job in information technology. It’s fun – there’s an adversary, a defender, and we have mutual respect.

In the end you are looking to answer two questions: What happened, and what to do about it? It’s the only way to make better security products. We get to see how everything else fails, not just the people and the processes, but also the technologies. Mandiant is on the front lines, responding to every breach that matters.

You called breach response fun. I’m assuming most of your customers would not view it from that perspective?
No, they wouldn’t, but it’s the reason that security exists. Security doesn’t exist because of compliance; it exists because if you don’t do it, bad guys will break in. In 2004, when I started Mandiant, I had been responding to Chinese cyber-espionage as a government guy for a while, and we had started seeing that capability hitting the private sector – and I knew we were sitting ducks. You can’t expect the private sector to withstand a nation-state’s capabilities.

Last year Mandiant made headlines with its Comment Crew report about Chinese cyber-espionage. What type of information are these cyber-intrusions seeking?
It’s all over the map really. It’s a lot – anything from IP, to communications and emails, things about processes. I’m not a mind reader; I can only tell you what they are taking. Sometimes it’s a lot, where you can’t see a focus. Other times it is focused on specific programs.

Can we blame the Chinese for cyber-espionage in a world where attribution of attacks is so difficult?
Every once in a while there is a slip up or two that gives us a tremendous amount of insight. We wanted to be careful, so we actually took a lot of the evidence out of the report. If you ever watch the video we posted about it, you will see one of their attackers create a Gmail account, and that guy sent about 1000 emails. We read them all, and from that we knew a lot about him – what he did, where he worked, what his job was…you get the idea.

What has caused you to focus on Chinese government involvement in cyber-espionage?
We absolutely don’t focus on anything. We go where the attacks are – we don’t go to where the Chinese or Russian governments are. They just so happens that the most prominent threat actors today are about 10 military units out of China that are executing intrusions. Our customers bring us this; the evidence keeps going back to China. We don’t focus on the Chinese nation-state, it just happens to be very prominent, and that’s what we are being hired to respond to.

How do you respond to spokespeople from the Chinese government that have called reports like Mandiant’s “groundless and baseless”?
That response is to be expected – it’s the new normal. It doesn’t bother me in the least bit.

A recent follow-up report from Mandiant has indicated the level of intrusions from China has increased, not abated. Was this expected?
Absolutely – this is a funded effort by the Chinese government to compromise the private sector to benefit their state-owned entities. They are not going to reassign thousands of people to do something else overnight. [Mandiant] sent out our report, the Chinese government obviously didn’t like the exposure, but it’s the new normal. Things like this are not going away.

What’s hot on Infosecurity Magazine?