The Threat Intel Results are in… You are NOT the hacker! : Disinformation Campaigns vs. Attribution Claims

Presented at ShmooCon XIII (2017), Jan. 15, 2017, 11 a.m. (60 minutes).

Attribution is big business these days…but can we trust it? Is it more than a game of "fingerpointing?" How good are we at spotting false-flag operations? Are advanced adversaries successfully defeating threat intel feeds through disinformation campaigns? In this talk, we will demonstrate how attackers operate to counter defensive information sharing operations through a real-world demo of a successful disinformation campaign. Using existing threat intel data, we will convince analysts to misattribute our activities to another threat actor. To do this we will select our "copy-cat" adversary from existing threat intel data feeds, analyze their tradecraft, and mimic their modus operandi in the real-world. We will taint several threat intel feeds in planting the seeds for our tactful misattribution tree, and we will then launch an operation against a real-world target in order to demonstrate that analysts using our victim feeds will incorrectly misattribute our operations as the mimicked actor.

Ultimately, this talk calls into question the efficacy of threat intel solutions for attribution purposes - should we even bother with this data, or is it ultimately a "rat race?"


Presenters:

  • Mark Kuhr
    Mark Kuhr (@MarkKuhr) co-founded Synack after focusing over nine years on Cyber Security in Academia and Defense industries. Most recently, at the National Security Agency (NSA), Mark worked in roles that include Technical Director, Computer Network Operations Operator, Network Analyst, and Computer Scientist.

Similar Presentations: