McAfee's Shady Rat Report, released in early August, generated a lot of headlines, a call from congress for more information, and a great deal of finger pointing in the security world.
Most notably, antivirus guru Eugene Kaspersky has openly been criticizing the merits of the report, questioning whether McAfee's effort was merely an exercise in FUD (fear, uncertainty, and doubt).
"First of all I’d like to say straight out that we do not share the concerns surrounding the intrusion described in the report, which intrusion the report claims has resulted in the theft of sensitive information of multiple governments, corporations and non-profit organizations," Kaspersky wrote in a blog post.
"We consider those conclusions to be largely unfounded and not a good measure of the real threat level. Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information," Kaspersky said.
As far as the level of sophistication of the operations outlined in the Shady Rat report by McAfee, "we found no novel techniques or patterns used in this malware. What we did find were striking shortcomings that reveal the authors’ low level of programming skill and lack of basic web security knowledge," Kasperky said.
McAfee’s Phyllis Schneck issued some statements critical of Kasperky's analysis, stating:
“Would it be alarmist to let a bank know that someone has just walked out with a wad of cash while they weren’t paying attention? It doesn’t matter how sophisticated the attack is if it results in material loss. If a bank robber gets $100 million by walking in the front door with a gun, it’s news–not because the attack is novel, but because of its effectiveness. It’s not the sophistication of the attack that’s important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture.”
Schneck also went to far as to question Kaspersky's understanding of the report:
“Unfortunately for Mr. Kaspersky, he is getting botnets and advanced persistent threats confused. In this case, the APT should be really be called an SPT (successful persistent threat). It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary," she said.
Other security experts have also leveled some heavy criticism on McAfee following the release of the Shady Rat report.
"It is readily apparent... that McAfee has put out that they are just fishing for some press here for their flagging AV sales. This paper gives nothing relevant to the story around APT and as such, it should be just relegated to the dustbin of the internet and forgotten. Yes, the US was a major target but others were as well," wrote Infosec Island's Scot Terban.
Still others see the blame falling on the companies and their security staff for failing to protect against well known vulnerabilities with readily available solutions.
"I challenge any security peer in the industry to tell me that these 'Shady Rat attacks would not have been detected with HIPS, SIEM and proper policies and ACLs in place. Honestly, one would have to be uneducated, incompetent and under-qualified to make that argument. It is not the technologies that are failing, it is us as a security industry that are failing," wrote Infosec Island's J. Oquendo.
"None of the frameworks, baselines and or mandates seem to have been followed. After skimming through the Shady Rat write-up, I can see all sorts of NIST SP failures, HIPAA, SOX, D(ITS/A)CAP failures. Not to mention failures from the TOGAF/CoBIT/ISO... writings as well. Now I don't believe the frameworks are the failures, nor the technologies, I believe that the people are the failure," Oquendo stated.
And Boris Sverdlik agrees that the lack of sophistication of the operations means that the security staff at the targeted companies should shoulder the real criticism.
"Needless to say, all of the data is relatively old (in security terms 8 months is Ancient History). Just more evidence of the incompetence of a good chunk of these so called security professionals we rely on to reduce our exposure. The attacks outlined within the document are not advance to any extent. These are the types of attacks that for the most part should be considered low hanging fruit," Sverdlik wrote.