Craig Hall, Managed Defense Analyst FireEye, "Outgunned in Cyberspace," July 22, 2017. Unclassified.
National Security Archive
FireEye’s 2015 RSA pitch turned a post‑JPMorgan breach panic into a sales narrative, arguing that “one weak link” makes every firm vulnerable and only intel‑driven defenses can level the playing field.
Source: Craig Hall, Managed Defense Analyst FireEye, "Outgunned in Cyberspace," July 22, 2017. Unclassified. Date: Jul 22, 2015 Archive: RSA Conference
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A FireEye Pitch at RSA 2015
The slides attributed to Craig Hall were not a classified briefing but a commercial presentation delivered at the RSA Conference in Singapore, July 22‑24, 2015. The event gathered senior security officers from banks, telecoms and other critical‑infrastructure firms, many of whom had just survived high‑profile breaches at JPMorgan Chase and Bank of America. Hall’s deck, titled Outgunned in Cyberspace, was meant to position FireEye’s Mandian platform as the antidote to a market that, in the wake of those breaches, was scrambling for a new defensive paradigm.
The immediate catalyst for the talk was the public fallout from the JPMorgan Chase breach announced in October 2014, which exposed the inadequacy of signature‑based antivirus solutions in detecting sophisticated, nation‑state‑backed actors. By mid‑2015, the banking sector was allocating half‑a‑billion dollars annually to cyber‑defense and promising to double staff numbers. Hall’s slides echo that rhetoric – a quote from Jamie Dimon promising $250 million a year – while simultaneously arguing that spending alone would not close the “one weak link” gap.
The Bigger Story: The Rise of APT‑Centric Threat Intelligence
Hall’s narrative sits squarely in the broader shift from perimeter‑focused defenses to intelligence‑driven, “adaptive” security. The presentation repeatedly stresses that an Advanced Persistent Threat (APT) is a who rather than a what, urging customers to invest in threat‑actor profiling. This reflects the industry’s response to the 2013‑14 disclosures of Chinese APT1 and Russian APT28, which had turned the abstract notion of state‑sponsored cyber‑espionage into a concrete business risk. By foregrounding APT5—a group allegedly targeting satellite‑communication IP—the deck attempts to demonstrate FireEye’s ability to link a mundane phishing attachment (“Invoice.xls”) to a geopolitical adversary.
The slides walk the audience through a fictionalized telecom breach, contrasting an in‑house, signature‑only antivirus stack (Telco A) with FireEye’s “Intel‑Based Approach” (Telco B). The contrast is stark: the former relies on slow signature updates and reactive re‑imaging; the latter claims to detonate unknown malware in a sandbox, extract command‑line artifacts, and even recover the password used to encrypt exfiltrated data. The level of operational detail—listing the exact NetUse command, the compromised admin account “BobAdmin,” and the password “itsm9now”—is designed to convey forensic depth that most internal SOCs could not replicate without external expertise.
What the Deck Reveals About Industry Dynamics
While the slides are promotional, they betray the anxieties of the era’s security chiefs. The repeated mantra “Nearly every company is vulnerable” and the visual of a boxing ring underscore a perception that defenders are out‑gunned and need a coach who knows the opponent’s moves. The emphasis on “integrated technology, intelligence, expertise” signals FireEye’s business model: a subscription service that bundles hardware appliances, threat‑intel feeds, and on‑demand incident response. The fact that the presentation was delivered at a conference where many attendees were also potential buyers shows how the line between public threat‑sharing and vendor marketing had blurred.
Moreover, the focus on APT5 and satellite‑communication IP hints at the strategic importance of the telecom sector in 2015. Satellite links were increasingly viewed as critical for both civilian broadband and military communications, making them attractive espionage targets. By naming a specific APT and its TTPs—beachhead establishment, lateral movement with native tools, zip‑file exfiltration—FireFire’s narrative tries to make the abstract threat feel immediate and solvable with their platform.
Legacy and Why It Still Matters
The Outgunned in Cyberspace deck is a snapshot of a turning point: the moment when commercial cyber‑defense firms began to market full‑stack threat‑intel as a core service rather than a peripheral add‑on. The language and visual metaphors introduced here—boxing, weak links, adaptive defense—have persisted in vendor briefings and even in government advisory documents. The presentation also foreshadows the current “XDR” (Extended Detection and Response) market, which promises exactly the kind of integrated visibility and rapid forensics Hall touted.
For historians of cyber‑security, the deck illustrates how private firms shaped the discourse around nation‑state threats, turning intelligence about specific APT groups into a commercial commodity. It also shows how the fallout from a handful of high‑profile breaches catalyzed a wave of spending that still underpins today’s security budgets. Understanding this moment helps explain why modern enterprises expect not just antivirus, but continuous, intelligence‑driven monitoring as a baseline service.
RSA Conference2015 Singapore | 22-24 July | Marina Bay Sands
SESSION ID: SPO-F04
Outgunned in Cyberspace
Craig Hall Managed Defense Analyst FireEye
CHANGE Challenge today's security thinking
#RSAC
JPMorgan Chase Breach
#RSAC JPMORGAN CHASE & CO abc NEWS .com FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company 2 RSAConference2015
JPMorgan Chase Breach
#RSAC
Dear Fellow Shareholders,
JP MORGAN CYBER SECURITY UPDATE: POST BREACH
"By the end of 2014, we will have spent more than $250 million annually with approximately 1,000 people focused on the effort. This effort will continue to grow exponentially over the years."
Jamie Dimon, Chairman and Chief Executive Officer
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company
3
RSAConference2015
Bank of America Breach
#RSAC
Moynihan: BofA Cybersecurity Unit Has Blank Check DAVOS 2015 Bloomberg BANK OF AMERICA CE INDUSTRY IS TRYING T
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company
4
RSAConference2015
“All you need is one weak link...” #RSAC FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company 5 RSAConference2015
“Nearly every company is vulnerable...” #RSAC 60 MINUTES FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company 6 RSAConference2015
Adaptive Defense
#RSAC
TECHNOLOGY IDENTIFIES KNOWN, UNKNOWN, AND NON MALWARE BASED THREATS INTEGRATED TO PROTECT ACROSS ALL MAJOR ATTACK VECTORS
INTELLIGENCE INTEL AND MALWARE EXPERTS THREAT ACTOR PROFILES INTERNAL RISK PROFILES
EXPERTISE “GO-TO” RESPONDERS FOR SECURITY INCIDENTS
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company
RSAConference2015
Do you know your enemy?
#RSAC
In boxing, a boxer studies his opponent's moves prior to the fight so he knows exactly how to defend himself against the opponent and outmaneuver him before he steps into the ring, which will increase his chances of victory.
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company
8
RSAConference2015
Threat Intelligence
#RSAC
- APT is a 'WHO' and not a 'WHAT'
- THREAT INTELLIGENCE should provide information on THREAT ACTORS
MANDIANT APT1 Exposing One of China's Cyber Espionage Units
FireEye SPECIAL REPORT APT28: A WINDOW INTO RUSSIA'S CYBER ESPIONAGE OPERATIONS? SECURITY REIMAGINED
FireEye SPECIAL REPORT HACKING THE STREET? FIN4 LIKELY PLAYING THE MARKET SECURITY REIMAGINED
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company 9 RSAConference2015
RSA Conference 2015 Singapore | 22-24 July | Marina Bay Sands
'Theoretical' Case Study
#RSAC
Two Utilities
#RSAC
TELCO - A
Signature based TECHNOLOGY In-house EXPERTISE No malware/threat actor INTELLIGENCE
TELCO - B
FireEye TECHNOLOGY FireEye EXPERTISE FireEye INTELLIGENCE
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company
11
RSAConference2015
Traditional In-House Approach
#RSAC
TELCO - A
TECHNOLOGY AntiSpam and AV Filtering
Receives 5 million emails a day
- AV updates slow
- Sometimes AV will only catch malware AFTER infection
When this happens
- Machine is reimaged
- Possibly send malware sample to their AV vendor
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company
RSAConference2015
#RSAC
FireEye Intel Based Approach
TELCO - B EX EMAIL QUARANTINED
- FireEye TECHNOLOGY is not Signature based – and finds threats faster than signatures – reducing time to detect
- FireEye Technology finds the unknown threat "Invoice.xls"
TECHNOLOGY
- AntiSpam and AV Filtering
- Malware Detonation – FireEye Receives 5 million emails a day
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company RSAConference2015
Unknown Threat: Invoice.xls
#RSAC
Target: Telco - B, threat trying to appear legitimate
- No signature
- Bypassed existing defenses
XLS
FireEye TECHNOLOGY reveals:
- Invoice.xls designed to attack Excel 2010sp2
- Excel 2010sp2 is the version Telco B has standardized on
- Malware phones home to ServiceABC.skypetw.com
- ServiceABC is the name of a VALID internal service in the Telco B network
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company RSAConference2015
Who Is Attacking?
#RSAC
FireEye INTELLIGENCE tells us:
ATI RESEARCH DETAILS ABOUT THE EXPLOIT
Skypetw.com matches to known threat group: APT5
APT5 targets telecom companies
Is looking for intellectual property regarding satellite communications
Known TTPs Tactics, Techniques and Procedures
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company RSAConference2015
#RSAC
APT5 Tools Techniques and Procedures
1 Establish a Beachhead using malware
2 Move laterally using standard networking tools (no malware)
3 Find desired intellectual property
4 Exfiltrate stolen data using password protected zip files and FTP
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company RSAConference2015
Incident Scope
#RSAC
- APT 5 is behind the attack
- Looking for Satellite IP
- Telco B has Satellite Communication IP
- Alarm bells going off from this single alert
We need to find out
Did end user open email attachment? 100110 01 11 1101 Did other users get infected? ADMIN ** 01 Did the attacker move laterally once inside the network?
FireEye MANDIANT A FireEye™ Company RSAConference2015
Detect and Respond
#RSAC
- Complete Host Based investigation, e.g. : Scraping Endpoint Memory
- Reveal commands an attacker may have used on an endpoint
- Look for APT5 TTP – Lateral movement using standard networking tools
- Look for APT5 TTP – Exfiltration of password protected zip file
- Investigation through FireEye as a Service EXPERTISE tells us
- “NETUSE” command was used to connect to 2 additional servers at TelcoB
- Servers required Username and password - “BobAdmin” account was used by the attacker. This account is a Domain Admin at TelcoB
- Our remediation now extends to this compromised admin account
- Agent TECHNOLOGY tells us 7z (zip) command was used with a “password” option
- Agent TECHNOLOGY tells us the password that was used to encrypt the file: itsm9now
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company RSAConference2015
Incident Scope
#RSAC
Scope of the attack
- Desktop
- Laptop
- 2 Servers
- Compromised Admin Account “BobAdmin”
What we need to know
- What was in those exfiltrated .zip files?
- Did they actually make it out?
- What is the business impact?
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company RSAConference2015
Network Forensics
#RSAC
FireEye TECHNOLOGY
- Goes back in time and shows us the actual zip file “exfil.zip” that was sent to serviceABC.skypetw.com
- Lets us extract “exfil.zip” and save it to our computer...
- But it’s password protected
We use the password that we learned from endpoint forensic investigation See what data was exfiltrated: Satellite Intellectual Property?
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company RSAConference2015
RSA Conference 2015 Singapore | 22-24 July | Marina Bay Sands
APT30
#RSAC
APT30 Key Findings
#RSAC
10+ YEARS Long-standing advanced persistent threat (APT)
Focus on Southeast Asia and India
Methodical processes and modular tools implies a structured environment
- Appears to target organizations with political, economic, and military information
- Able to target sensitive air-gap networks.
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company RSAConference2015
One of longest-operating known threat groups
#RSAC
10+ YEARS
Based on malware metadata, compile dates, and domain registration date APT30 has operated for at least a decade (2004 – 2015)
| Domain | Registration Date | Compile Date Early Sample | Compile Date Recent Sample |
|---|---|---|---|
| km-nyc.com | 11 Mar 2004 | 11 Mar 2005 | 11 May 2014 |
| km153.com | 30 Aug 2007 | 4 Sep 2007 | 11 May 2014 |
| Comments | (C) 2004 Microsoft Corporation. 保留所有权利。 Flyeagle science and technology company NetEagle Remote Control Software |
|---|---|
| File Version | 4.2 |
| Internal Name | Neteagle |
| Legal Copyright | 版权所有 (C) 2004一永久 |
| Original Filename | NETEAGLE.EXE |
| Private Build | |
| Product Name | NetEagle Remote Control Software |
| Product Version | 4.2 |
| Special Build |
Version information from BACKSPACE controller
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company RSAConference2015
Regional Focus
#RSAC
96% of victim organizations located in SE Asia
Confirmed APT 30 Targets India Thailand Malaysia United States South Korea Saudi Arabia Vietnam
Likely APT30 Targets Nepal Indonesia Cambodia Philippines Myanmar Bhutan Brunei Japan Singapore Laos
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company RSAConference2015
Regional / Geopolitical Targeting
#RSAC
- 'Decoy' documents reflect geopolitical themes associated with region
- Political transitions
- China border disputes
- Indian military themes
- Focus on ASEAN with registration of malicious domain aseanm[.]com
- Journalists also targeted
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company RSAConference2015
Consistent TTPs
#RSAC
APT30 appears to have a consistent, long-term mission that relies on existing tools to remain sufficient over time
Yesterday's successful tools modified for today
| MALWARE / TOOL | COMPILE DATE EARLY SAMPLE | COMPILE DATE RECENT SAMPLE |
|---|---|---|
| BACKSPACE | 2 Jan 2005 | 5 Nov 2014 |
| NETEAGLE | 20 Jun 2008 | 6 Nov 2013 |
| SHIPSHAPE | 22 Aug 2006 | 9 Jun 2014 |
| SPACESHIP | 23 Aug 2006 | 5 Jun 2014 |
| FLASHFLOOD | 31 Jan 2005 | 17 Feb 2009 |
- Successful enough to not have to change
- Long-term investment in software development
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company
RSAConference2015
Summary of APT30
#RSAC
APT30 is a well-organized group with a long-term mission that represents a regional threat
Targeted activity and state-sponsored not simply a US problem
Able to target sensitive Air Gap networks
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company RSAConference2015
RSA Conference 2015 Singapore | 22-24 July | Marina Bay Sands FIN4 – HACKING WALL ST #RSAC
Who Are FIN4?
#RSAC
- Active since at least mid-2013
- Likely seeking "black edge"
- – Market catalyst information for trading advanta
- Deeply familiar with inner workings of public companies
- Tactics: simple yet insidiously effective
FIN4 Targets: Over 100 Publicly Traded Companies and Advisory Firms
Publicly Traded Healthcare and Pharmaceutical Companies 68%
Firms Advising Public Companies on Securities and M&A Matters 20%
Other Publicly Traded Companies 12%
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company
29
RSAConference2015
Attack Vector
#RSAC
- Emails originate from trusted senders
- Links to fake Outlook Web Access portal
- Stolen documents weaponized with embedded macros
Subject: employee making negative comments about you and the company
From:
I noticed that a user named FinanceBull82 (claiming to be an employee) in an investment discussion forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances of his disagreements, and in doing so, may have unwittingly divulged confidential company information regarding pending transactions.
I am a longtime client and I do not think that this will bode well for future business. The post generated quite a few replies, most of them agreeing with the negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through the appropriate channels before making his post. The link to the post is located here (it is the second one in the thread):
http://forum.
Could you please talk to him?
Thank you for the assistance,
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company
30
RSAConference2015
The Target?
#RSAC
SEC-Themed spearphish from hijacked account
ADVISORY FIRM A COMPROMISED
M&A-themed spearphish from hijacked account The spearphishing email pertains directly to the pending deal, which is not yet public at the time the spearphish is sent
ADVISORY FIRM B Advisory Firm A and Advisory Firm B are advising Public Company A about a prospective M&A deal with Public Company B
PUBLIC COMPANY A Involved in M&A discussions with Public COMPANY B
FIN4 repeatedly targeted the M&A discussions of publicly traded companies.
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company 31 RSAConference2015
Insidiously Clever?
#RSAC
- Simple techniques to minimize chances of discovery
Rules and Alerts E-mail Rules Manage Alerts New Rule... Change Rule Copy... Delete Run Rules Now... Options Rule (applied in the order shown) Actions untitled Rule description (click an underlined value to edit): Apply this rule after the message arrives with 'virus' or 'malware' or 'phished' or 'phishing' or 'phish' or 'hacking' or 'hacked' or 'hack' in the subject or body move it to the Deleted Items folder and stop processing more rules RSS Feeds OK Cancel Apply
Apply this rule after the message arrives with 'virus' or 'malware' or 'phished' or 'phishing' or 'phish' or 'hacking' or 'hack move it to the Deleted Items folder
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company 32 RSAConference2015
RSA Conference 2015 Singapore | 22-24 July | Marina Bay Sands Operation Clandestine Wolf #RSAC
Who are APT3?
#RSAC
- State-sponsored group – AKA UPS
- Attributed to Operation Clandestine Fox in 2014
- Zero-day exploit sophistication
- Cool code names FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company 34 RSAConference2015
Clandestine Wolf
#RSAC
- Spear phishing campaign against:
- Aerospace and Defense
- Construction and Engineering
- High Tech
- Telecommunications
- Transportation
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company 35 RSAConference2015
Spearphishing
#RSAC
Save between $200-450 by purchasing an Apple Certified Refurbished iMac through this link. Refurbished iMacs come with the same 1-year extendable warranty as new iMacs. Supplies are limited, but update frequently.
Don't hesitate . . .>Go to Sale
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company
36
RSAConference2015
Some Technical Details
#RSAC
ASLR Address Space Layout Randomization
DEP Data Execution Prevention
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company RSAConference2015
These Red Dots = Compromise
#RSAC
GIF
- Valid GIF File
- Malicious Payload appended at end of File
- Malicious Payload is encoded to avoid detection
Malicious GIF Image file
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company
RSAConference2015
After The Initial Compromise
#RSAC
- Custom Backdoor “Backdoor.APT.CookieCutter” installed
- Quickly steal valid credentials
- Move laterally to systems with digital assets of value
- Install custom backdoors
- Never reuse command and control infrastructure
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company RSAConference2015
Remediation
#RSAC
Apply Adobe Out Of Band Security Patch FireEye IPS detects : CVE-2015-3113 FireEye MVX detects: Backdoor.APT.CookieCutter
FireEye SECURITY REIMAGINED MANDIANT A FireEye™ Company RSAConference2015
Outgunned in Cyberspace
#RSAC
- Do you believe that the breach is inevitable?
- How would you know if you were currently compromised?
- Do you know who would attack you?
- Do you know how they would do it?
FireEye MANDIANT SECURITY REIMAGINED A FireEye™ Company
41
RSAConference2015
#RSAC
Thank You
- To talk more, email us: APAC@FireEye.com
FireEye SECURITY REIMAGINED MANDIANT A FireEye Company 42 RSAConference2015
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu