Charles Carmakal - VP, Mandiant


Written by

To say FireEye has been busy in an understatement.

The company has been the go-to for a number of issues, including incident response and deep insight on threat actors that have caused headaches for government and companies worldwide.

At the nexus of FireEye’s work is their VP of their Mandiant division, Charles Carmakal. Everything from Trisis to FIN7 to social media influence campaigns has passed through Carmakal’s purview over the past year, making the company not just an industry leader, but an authority on how the security community should deal with threats.

CyberScoop: You’ve done a lot of work in some high-profile cases over the past year, with Trisis, FIN7 and Iranian influence campaigns to name a few. How do you see your work shaping the future of public-private partnerships.

Charles Carmakal: One of the reasons why I joined the firm is because I felt that Mandiant was doing some incredibly impactful things from an overall national security perspective.

In the earlier days we were mostly working with organizations that were targeted by organized criminal groups or foreign government threat actors that either stole a significant amount of data or they lost intellectual property that ultimately transferred jobs and money to other countries.

There’s a sense of pride and national security and the work that we were doing to help our clients. When I talk to the folks on my team, most people are saying, “We would do this work for free because it’s so cool.”

Over the years there were a number of things that we’ve done that we felt were pretty impactful and changed the geopolitical landscape to some extent. With something like the APT1 report, it was a relatively game-changing report. I remember as we were making this decision to go forward with that. There were a number of questions whether or not it was the right thing to do and would that have put a huge bullseye on our back. But what I think it did was it it finally took a lot of data that was derived from nonclassified environments and put it in the public domain, so that government officials could actually talk about the threat emanating from China. So that was one of the first times that we felt that we had such an impactful game-changing contribution to the world.

Now fast-forward: We were involved with a number of breach responses that we’re pretty notable. There’s no surprise that we worked on the breach response at Sony Pictures Entertainment. That’s incredibly notable because it was the first time that we saw a state-sponsored actor from North Korea tackle Western organization.

From a government corporation perspective and we’ve always helped the government when and where we could we’ve always encourage our clients to share information with law enforcement. We’ve also helped with analysis and research that led to indictments of other operators from multiple other countries. Our role in some of these indictments haven’t been advertised, but you could say there have been indictments in multiple countries that at least to some extent, we’ve played a role.

CS: How do you determine what to research? Is it client driven, internally driven, or a mix of both?

CC: It’s a little bit of both. but a large part of it is driven by clients engaging us to help them.

We had a large number of organizations reach out to us because they were actively compromised by FIN7. They didn’t know it was FIN7, but they knew somebody had broken into their environment and they detected breaches. But we also monitor them because they were a pretty sophisticated group.  For all intents and purposes, they were the most prolific financially motivated threat actor in our history.

But we also wanted to keep our eyes on FIN7. I’ll give you an example of something that we did that may not be widely known: They would mirror what the real website looks like onto a fake look-alike domain. They would send phishing emails to company employees or business partners and they would lure people into these fake sites.

They made this operational mistake of using a Russian virtual private server that had an IP address located in Canada. They set up probably 50 to 100 look-alike domains. So what we were doing was we were just passively monitoring DNS traffic to those IP addresses. Every time we saw a new domain pop up, it was pretty clear to us that they were trying to spoof the domain of a real company.

It allowed us to proactively notify organizations that were being targeted. It’s hard to conclusively determine this, but we’re pretty sure we stopped a number of FIN7 attacks by proactively notifying organizations about look-alike domains.

CS: We talk so much about security by design and taking the human out of the equation. Do you think we are making progress there? What more could the cybersecurity community to take away the error-prone human part of the equation? 

CC: We’re making certain strides in the right direction, and there are times we’re making strides in the wrong direction. But at the end of the day, you’re always going to have a human operator that will make mistakes. I really don’t like when people say “humans are stupid.”  Anybody could accidentally click on the wrong attachment or visited a compromised website. I think in some respects, some of the technology is getting pretty good at minimizing the impact of certain human errors.

I think we’re making some some improvements in the right direction. But there’s lots of new technology that comes out there that introduces a lot of other human opportunities for human mistakes. So, I don’t know if it’s actually heading in the right direction, but some things are working.