My next review for ‘Too Long: Did Read’ is Meta’s Adversarial Threat Report, Second Quarter 2022. I’d seen the ATR (best initialism I can think of) before and find the work by the Meta team to be exemplary in content, though it is far from the most polished report I’ve read. I chose it large part because it is so very different from the PwC report I reviewed last week.
Overall Impression – If you’re a defender looking for more information about the threats social media organizations face right now, this is definitely for you. It has an appendix listing their public threat indicators at the end of the report that listing domains to block and Yara rules for your use. The report uses a very simplistic layout, which is mostly in its favor.
The content has plenty of information for beginning and mid-career responders. It might not be as interesting to experienced defenders who have other avenues to get the same information. If you’re in one of the many intelligence sharing groups in our industry, this information is probably already available to you.
While the content of the report is excellent, it needs more copy editing and better layout. It’s clearly a labor of love by the technical teams at Meta, rather than a marketing team trying to make an impression. This is aimed at a technical audience and not something you’re likely to talking about with the CSO or other executives; they’ll want you to do something with the information, not take their time with the specifics.
The Good – Both the report and the blog post supporting it include the most important takeaways from the report right up front, as it should be. They’ve taken the time to identify what you’re going to get from the report, which is often harder than you’d think. The report is 36 pages long and without this summary, many readers might never do more than skim it and look at the appendix.
I appreciate that the authors are credited up front and are clearly people in roles responsible for creating actionable intelligence internally and externally at Meta. The ‘Key Findings’ points to which organizations and countries are involved in Coordinated Inauthentic Behavior (CIB), which is the type of call out we need to see more often.
I found Sections 1, covering two South Asia networks, and the in-depth analysis of Cyber Front Z starting on page 20, to be the most valuable sections of the report, other than the Appendix. Diving right into Bitter APT and APT38, as well as providing significant details hooks the reader and makes some of the less valuable content palatable. The analysis of Cyber Front Z is just short of 1/3 of the total report, with screenshots and translations. I really like the observation that Z Team is taking lunch breaks and weekends off.
The Bad – The editing of this report needed another round or two before it was published. Sections 2, 3, and 4 spend more time on defining terms than they do talking about the groups and attacks the report covers.
I’m glad to see Meta explaining what they mean when they discuss emerging harms, but they use more real estate on those definitions than on the specific examples. In Section 2, less than half contain examples. Three of seven only works if you’re part of the Borg Collective.
Run-on and poorly parsed sentences interrupted my reading of the report. As an example:
“We took action against a group of hackers — known in the security industry as Bitter APT — that operated out of South Asia, and targeted people in New Zealand, India, Pakistan and the United Kingdom.”
Meta ATR, Q2 ’22, Section 1, page 5
It’s easy to read this sentence as Meta taking action against hackers -and- targeting people in New Zealand, etc. Obviously not how it was meant! This might not bother some readers, but is just one example showing more editing was needed.
Overall – Despite my editing issues with Meta’s Quarterly Adversarial Threat Report for Q2, 2022, it’s still well worth the time to read. I appreciate teams who want to share their intelligence with a wider audience. Even more, I appreciate seeing specific domains to be wary of. If time is of the essence, flip to page 21 to read the In-Depth section, then come back to the rest when you can.