Cybersecurity Firms Ditch Defense, Learn To 'Hunt' It's boom time for cybersecurity companies that specialize in going after Chinese hackers. The top competitors in the sector have been taking a nontraditional approach. Instead of focusing on protecting clients from malware, these firms are learning more about the attackers — and going after them.
NPR logo

Cybersecurity Firms Ditch Defense, Learn To 'Hunt'

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Cybersecurity Firms Ditch Defense, Learn To 'Hunt'

Cybersecurity Firms Ditch Defense, Learn To 'Hunt'

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


Let's return now to this week's series on cybersecurity. More industrial and commercial operations are going online. That's good for efficiency. It also means enterprises are more vulnerable to cyberthieves and cyberspies. Security experts say the biggest concern is computer-snooping from China. While this is a problem for some, turns out it's a business opportunity for others. NPR's Tom Gjelten says it's boom time for firms specializing in busting Chinese hackers.

TOM GJELTEN, BYLINE: The hot new cybersecurity firms barely pay attention to cybercriminals. They're just after someone's money. It's fairly easy to fend them off. The more serious cyberintruders are the ones who want one particular thing: a new airplane design, for example. Threat researcher Dmitri Alperovitch says they'll target whoever has it, and they'll be persistent.

DMITRI ALPEROVITCH: Because if they're after your specific information, if they're after the Dreamliner specs, there's only one place to get it, and that's Boeing.

GJELTEN: This is what's called a targeted threat: cyberintruders going after particular trade secrets or inside information. These intruders are very determined. They won't give up until they get exactly what they want. And they're a growing problem.

RICHARD BEJTLICH: If you think in terms of someone who's going to get into your network and stay there for a while, it's becoming more popular.

GJELTEN: Richard Bejtlich is chief security officer for a company called Mandiant. He says more often than not these targeted threats originate in China.

BEJTLICH: The Russians have done that for a while, but not in the same way that the Chinese have. They tended to be quiet. They tended to be more creative. The Chinese are very loud and broad and aggressive.

GJELTEN: And there's been such an explosion in these targeted intrusions from China, that there are now cybersecurity firms that specialize in dealing with them. Mandiant may be the leading example. It doesn't try to protect its customers from viruses or other malicious software. They're more like an intelligence firm, they want to identify the intruder and his methods.

Richard Bejtlich says after a while, you can actually figure out an enemy's distinctive techniques.

BEJTLICH: And you see them fumbling around and they can't get whatever it is they need to do to work. And then there's a pause, and then someone else - you can tell someone else is there, 'cause they type at a different frequency, they're entering different commands, no spelling mistakes, whatever. They'll get that part of the playbook to work, and then it goes back to whoever the first guy was. So there's definite signs of junior people, more experienced people.

GJELTEN: Mandiant has identified about 20 Chinese groups responsible for targeted threats in cybersecurity lingo, Advanced Persistent Threats, or APTs. Kevin Mandia, the company founder, says if Mandiant can tell a company what APT group is after it, the company can defend itself better.

KEVIN MANDIA: We can turn to a team that's going off to some Fortune 500 company and say, hey, all the evidence points to, it's APT Group 1 or APT Group 5, immediately know the tools they use, the IP addresses they use, the pass phrases they use when they encrypt data, where they store their files on the machine.

GJELTEN: Focusing in depth on the cyber-adversary - its goals, its tactics - is the Mandiant approach to cybersecurity, and business is booming.

RICHARD STIENNON: They were early and now it's the next big thing in security.

GJELTEN: Richard Stiennon is a cyberindustry analyst.

STIENNON: So there's dozens, if not hundreds, of service providers doing things similar to Mandiant and product companies coming out of the woodwork.

GJELTEN: A new entrant in this field is CrowdStrike, a company co-founded by threat researcher Dmitri Alperovitch. He says his company - like Mandiant and others in this growing field - will specialize in these advanced persistent threats, persistent being the key word. Their customers will be under constant pressure.

ALPEROVITCH: There's really no organization, including government agencies, that can prevent this type of attack. So you need to shift your mode into thinking that you're always under a persistent state of compromise and you need to start thinking about how you want to hunt on the network.

GJELTEN: That's the new cybersecurity game: hunting the adversary, tracking him down wherever he goes on a network and confronting him. One reason businesses like this are growing: the Mandiant guys say it's a lot more fun to fight the adversary head on, than try to come up with some software to protect someone from him. And it looks like there's plenty of business to go around.

Richard Bejtlich says the persistency of the new cyberthreats means no more one-off jobs.

BEJTLICH: It's actually been this case now for the whole period of the Chinese activity. The customers want us to stay engaged, to the point where we sign multi-year contracts, so the customers can get help from Mandiant over a very long period of time.

GJELTEN: A cyberwar already under way, between the Chinese hackers determined to steal and the security folks determined to hunt the hackers down.

Tom Gjelten, NPR News.


GREENE: Tom has been reporting all week on cybersecurity and you can check out his series at our website,


GREENE: You're listening to MORNING EDITION from NPR News.

Copyright © 2012 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.