Mandiant APT1 Report

Retro Analysis

Thanks to the Mandiant APT1 report appendices, we have a wealth of threat data we can use to flush APT1 out of the network. In this installment, we’ll take a look at how to accomplish that with Lancope’s StealthWatch System.

In my last post I described how the Mandiant APT1 report reveals an imminent need for intelligent network surveillance to combat the types of attacks advanced attackers pose. In addition to detecting advanced and targeted threats, StealthWatch operators are also able to roll back the clock when threat intelligence becomes available.

Pervasive Logging

The foundational element in retroactive network forensic analysis is proper log collection and archival. StealthWatch is architected to archive months or years of communication records going in, out and around a global enterprise network. The records are collected from NetFlow-enabled routers, switches and firewalls. Additional deep packet visibility is provided by strategic placement of the StealthWatch FlowSensor in the network. These records are all forwarded to a FlowCollector that combines the collective data from every network device into an intelligent, cohesive record of every communication.

Asking Any Question

When data becomes available through either global intelligence like the Mandiant report or internally as incident responders are able to build threat profiles, those markers can be fed into StealthWatch to return a precise data set of suspicious communications.


If the attack time is known, it can be defined specifically or the query can be applied to all archived flows.


The server or client IP addresses, ranges or host groups can be specified.


The networking interfaces that the traffic was routed across can be specified to determine how prohibited behavior was able to circumvent enforcement mechanisms.

Services, Applications, Ports and Protocols

The ports and protocols can be filtered. If FlowSensor or Cisco NBAR visibility is enabled, traffic can be filtered on deep packet inspection recognition of networking applications.


Traffic can be filtered by DSCP, AS Numbers, VLAN ID and MPLS labels to further tune the result set.


Total bytes exchanged, bytes consumed by the client or sent to the server can also be queried in ranges.



Where FlowSensor enhanced flows exist, the number of TCP connections, retransmissions, round trip times and server response times can be used as an advanced marker.

Application Details

When traffic crosses a FlowSensor, the first 1 to 256 bytes can be collected and archived with the flow record. This allows queries to include matches on SSL certificate names, URL or FQDN.


Leveraging Cisco NetFlow Secure Event Logging (NSEL) from ASA firewalls, flows can be limited to the action the firewall took on the communication (permit/deny).

Examples for Finding APT1

Here are a couple of real world examples of using StealthWatch to look for historical APT1 intrusions in the network:

Data Loss

Customers have reported to me that an effective query for finding data disclosure to APT1 IP addresses was simply:

  • HOSTS: Set Servers to IP Addresses from Mandiant Reports (click here to download list)
  • TRAFFIC: Set Client Bytes to >1MB

This simple query shows every communication where more than 1 megabyte of data left the network and went to the APT1 addresses.


Using the Application details filter, customers with FlowSensors deployed were able to filter for communications that used the known bad SSL certificates included in Appendix F of the Mandiant report. Additionally, the same types of filters were used for detecting FQDN included in Appendix D.

Wrap Up

StealthWatch not only provides actionable, intelligent network surveillance that can reveal attacks from sophisticated attackers like APT1, it also provides a platform for shining light on the network’s history. Click here for more information on using StealthWatch for security.