SESSION ID: EZCL-R07 The Attribution Game: When Knowing Your Adversary Matters Katie Nickels Principal Intelligence Analyst, Red Canary #RSAC #RSAC Why We’re Here • What is our goal? – Better understand attribution and how we should handle it • How will we achieve it? – Gain this understanding by discussing with each other 2 #RSAC Agenda • • Frame Our Topic Ask Questions – Ask and answer questions as a large group • Dive Deeper – Discuss further in small groups • Share Our Takeaways – Provide read-outs from each small group to the large group • Wrap Up 3 #RSAC Frame Our Topic Let’s talk about attribution What Attribution Can Feel Like 5 #RSAC #RSAC What is Attribution? • • Associating adversary activity with something else Many different definitions → confusion 6 What are Different Types of Attribution? • We can attribute to… The “who” The “how” – A person – Tools/malware – A team or unit – Other code – An organization – Tactics, techniques, and procedures (TTPs) – A government – Infrastructure 7 #RSAC How Do We Perform Attribution? • • • • Find patterns and connections Look for human fingerprints – Personas, email addresses, passwords – Reusing account names (e.g. UglyGorilla) or infrastructure Use operational security failures by adversaries Leverage different sources depending on collection – – – HUMINT (human sources) SIGINT (intercepted communications) OSINT (news stories, WhoIs, Passive DNS, malware research) 8 #RSAC #RSAC Different Methods of Attribution • • Associate what you find with someone else’s research Create your own clusters https://www.fireeye.com/blog/threat-research/2019/03/clustering-andassociating-attacker-activity-at-scale.html https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf 9 #RSAC Does Attribution Matter? • • It depends on what you need: your requirements Sometimes it matters a lot – – Making business decisions Using instruments of power • • Diplomatic, Informational, Military, Economic Sometimes it matters less – – Defending networks Responding to incidents (what about red teams?) 10 #RSAC Ask Questions Ask and answer questions as a large group #RSAC Dive Deeper Discuss further in small groups Possible Discussion Questions • • • • • • How does your team define attribution? What are your key requirements for your cyber threat intelligence team? When does attribution matter to your team? When does it NOT matter? How does your team go about performing attribution? What limitations do you have in performing attribution? What additional collection or information could help you? How can we better communicate clearly about attribution? 13 #RSAC #RSAC Share Our Takeaways Provide read-outs from each small group to the large group #RSAC Wrap up Talk about how you can apply what you’ve learned Apply What You’ve Learned Today • • • Decide how your team defines attribution Identify your team’s requirements around attribution Determine how you will track adversaries given those requirements 16 #RSAC #RSAC Thank you! Katie Nickels Principal Intelligence Analyst, Red Canary @LiketheCoins @RedCanaryCo 17