stu t18 a
Post on 11-Feb-2017
56 Views
Preview:
TRANSCRIPT
Session ID:
Session Classification:
William Gragido Sr. Manager, RSA FirstWatch
RSA NetWitness
STU-T18A
Intermediate
Link by Link: Crafting the
Attribution Chain
► About Me
► What is Attribution and Why Should We Care?
► Types of Attribution
► What We Gain Through A Better Understanding of
Attribution
Agenda
► Before we jump into attribution analysis let’s talk cyber attack for a moment
► Cyber Attacks are:
► Imminent
► Well understood…sometimes
► Common
► Sophisticated and non-sophisticated
► Criminal, Subnational and State Sponsored…sometimes all three
► Motivated by political, philosophical, monetary and diplomatic agenda
► Equal opportunity driven as the Internet is free and price of admission right
► Global occurrences that touch us all in one way or another
► Can impact everything that means anything to us: our enterprises, our brands,
our livelihoods, and way of life
► Cyber attacks are serious business and often misunderstood at the macro level
What is Attribution and Why
Should We Care?
► What is really under attack during a cyber attack?
► An asset?
► A person?
► A system
► An entire ecosystem?
► Is it the certainty; the trust we place in these assets and
personnel that is under attack?
► Cyber attacks are psychological attacks
► Complexities that arise from our natural desire to favor certainty
(feigned or real) in the face of conflict*
What is Attribution and Why
Should We Care?
► Attribution is often discussed in the literal, HUMINT ‘who
done it’ manner
► It’s also often quite misunderstood due to the absence
and omission of psychology in the chain establishment
process
► Establishing ‘linkage’ or relationships is paramount in
establishing attribution
► Mature attribution can lead to effective deterrence
► Active Defense anyone?
What is Attribution and Why
Should We Care?
► Attribution is the assignment of ownership of a threat act
or action to a threat actor or agent
► Question: Do people care more about the threat act or
action? The actor or agent? Or both
► Discipline of Psychology offers a few key definitions to
consider as we discuss attribution
► Explanatory Attribution
► Answers the question ‘why’ someone does one thing or another
► Interpersonal Attribution
► Answers the question ‘why’ something occurs when 2 or more
causes are present
What is Attribution and Why
Should We Care?
► One of the greatest challenges defenders of network
environments and investigators face today due to
several factors
► Stateless nature of the Internet
► Volume of data so great that it could never be recorded en mass
making comprehensive analysis of the Internet and threat actors
infeasible
► Price of admission to the Internet – no permission is necessary
or can be granted / revoked
What is Attribution and Why
Should We Care?
► Not a trivial matter
► Proven the identity of a threat actor or agent requires a great
deal of work and evidence in addition to collaboration between
investigators, victims and law enforcement
► Potential for proclivities regarding the adversary to cloud vision
and sound judgment that can complicate conclusions regarding
attribution
► Leads us to conclude that attributing the identity also, at times,
leads us to infer the intention of the threat actor or agent
What is Attribution and Why
Should We Care?
► Four principal concepts to grasp when beginning to
consider attribution:
► Ownership (Machine(s) used in threat act or action)
► Location (Geo Intelligence)
► Threat actor or agent (HUMINT)
► Aggregate Identity of individual or group
Types of Attribution
► There are two core types of attribution that investigators must be concerned with:
► Technological attribution
► Human attribution
► Broken down in a bit more detail these forms or attribution answer the following
questions:
► Who?
► Why?
► How?
► From Where (Geo Intelligence)?
► Frequency
► Stages of attack / IOCs
► Evidence / Artifacts
► Infrastructure (C2/ Covert Channel)
► Threat actor / agent
► Affiliation
Types of Attribution
► In order to establish concrete Attribution one must
establish: ► Agreement
► Amongst multiple parties
► Corroboration
► Uniqueness
► Signatures
► Approaches
► IOCs
► Be ware the false flag!
► Regularity
► Frequency
► Repetition
► Execution path
Types of Attribution
► A clearer picture of who the threat actor or agent is and
what their intentions are toward ourselves and others
► An opportunity to share intelligence within the research
community
► Provided we can circumnavigate the cultural, legal, and national
security impediments that present themselves from time to time
► The opportunity to better prepare ourselves for the next
encounter with a threat actor or agent
► The opportunity to seek criminal (where appropriate
based on jurisdiction) prosecution for damages
What We Gain Through A Better
Understanding of Attribution
Questions & Answers
top related