A Peek Behind the Curtain: Examining the Dimensions of a National-level Cyber Program

Written by: John Doyle

In the past year, Mandiant Intelligence has been thinking of new ways to help organizations scale their defenses to outpace and outmaneuver state-sponsored cyber programs—all in a format that is widely accessible. This led us to developing “Inside the Mind of an APT,” an on-demand course that shares our more than ten years worth of insights on state-sponsored cyber programs to tip the scale in favor of the blue team. This course focuses heavily on exploring what we call the Big Four: Russia, China, the Democratic People's Republic of Korea (DPRK), and Iran.

While the target audience for this course is newly minted or career-transitioning analysts, security practitioners, and cyber security leadership, the course can also benefit journalists, researchers, and national-level policymakers. It is designed as a foundation for how various cyber operations are used as tools of statecraft (Figure 1).

The class dives into numerous topics, explaining how:

• Countries leverage cyber operations as a tool of statecraft to collect information of intelligence value to gain a geopolitical advantage, undermine perceived adversaries, bolster geopolitical ambitions, spy on their internal population, and quell civil unrest.
• Each Big Four country uniquely leverages their respective cyber programs based on geographic location, strategic goals, national security priorities, and other factors.
• While the Big Four have similar capabilities and regularly conduct cyber espionage for intelligence gain, the “how” and the “why” differ for each nation.

From its inception, we sought to create a course to aid organizations with onboarding new cyber security personnel by capturing insights our Mandiant analysts wish they had known when starting in this field. When deciding what should be covered in the course, we consulted with Mandiant Intelligence analysts, researchers and consultants. From our conversations we noticed three consistent themes, and an importance on the following understandings:

1. Threat actor motivations
2. How to identify and correlate cyber operations with larger scale national priorities
3. When and to what degree does attribution matter

“Inside the Mind of an APT” covers these three understandings across the Big Four cyber actors. It provides the cornerstone knowledge and context to allow practitioners to compare and contrast usage, history, and approach to cyber operations and cyber-adjacent topics. Developing this level of breadth, depth, and strategic perspective often takes months or years.

Even with a deep cyber security background, individuals likely face strategic knowledge gaps in understanding how, why, and against whom an adversary would employ cyber operations—or whether the operations are conducted solo or in tandem with another element of national power. Likewise, these individuals may not understand why it is important to know the roles and responsibilities that exist in a state’s cyber program, the mission mandate of the intelligence and military services in a country, its operating authorities, and their mapping to suspected APT groups.

All of these insights can aid in threat forecasting, risk prioritization, attribution assessments, and many other ways to support an organization's defensive posture.

This course is intended to immediately uplift individual and team capacity for any role in an organization that advises on cyber threats. The material presented within “Inside the Mind of an APT” roughly amounts to what would be covered across five different masters-level courses, but is consolidated, focused, and curated for students to consume in a fraction of time (and cost!). The course pulls from internal expertise, research from our industry peers, and publications issued by government bodies and think tanks to establish a common knowledge base on cyber threat adversaries. For a sneak peek of course coverage, please review our March 2023 BrightTalk webinar or visit our website for details on Mandiant Academy courses.

We would like to thank the following for publishing critical research that we have included in the course: Kristina Balaam and team at Lookout Mobile, Lina Lua and team at Dell SecureWorks, Andy Greenberg, Intrusion Truth, Citizen Labs, Congressional Research Service, the Estonian and Ukrainian counterintelligence services, and multiple elements in the UK and U.S. governments regularly publishing advisories, indicting, and sanctioning foreign state-sponsored cyber elements.