The APT1 report has been praised and releasing the indicators of compromise (IOCs) "was a very good thing for all of us".
“I think the report is a good thing, a sign of deep dysfunction in security, a stimulant to information sharing, an indicator of failed foreign policy, a brilliant marketing manoeuvre and a bit of business as usual,” he said.
He said that he believed any information and incident sharing is good, and while there is little in the report that can be considered actionable, other than the IOCs, this will help organisations understand that targeted malware attacks are a problem and that it serves to document that attacks are real.
He also said that the most valuable aspect of the report is that this demonstrates that they can happen to anyone, and this will show executive management that "we've always been in the deep end of the swimming pool and that it never was amateur hour".
Despite some criticisms that the report revealed too much information, Ranum said that this was a very good thing. “Since many organisations will now be able to use them to look back into the past and discover things they might have been happier not knowing,” he said.
“The IOCs will provide indisputable data; I've already heard a few security executives ask, ‘if we look for this, and we find something, what does that mean?' What I hope will happen from the APT1 report is we'll get some industry-wide reassessment of the effectiveness of some tools and techniques. It's that kind of information that remains sadly lacking.”
Ranum concluded by saying that the type of information sharing that is needed is around techniques and practices, tied to strong statements about what worked and what does not, specifically from those who were there when it happened
“Until we start talking about that, our learning experiences remain private and much more costly since they will be repeated over and over again. The important point about the IOCs is that they're a measure of how ‘too late' you may be,” he said.