Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks

Presented at VB2016, Oct. 5, 2016, 11:30 a.m. (30 minutes).

In the last year, there has been much debate over the accuracy and usefulness of attribution with regards to APT actors. Investigators have had an increasingly difficult time finding reliable and agreed upon metrics for attributing attacks. To further complicate this issue, some APT groups have fragmented, leaving them with limited infrastructure to conduct targeted attacks (perhaps by design). At the same time, more seasoned APT groups have been following publicly available research on the topic and using this information to introduce false flags into their TTPs. Researchers have long theorized on this possibility, we would now like to provide a wealth of real-world examples of attempts at false flag operations from previously unpublished research. The hope is to advance more mature discussions about attribution, the technical limitations entailed, and introduce a more realistic set of expectations for the actionable value of identifying the teams or individuals behind targeted attacks.

The in-the-wild examples will substantiate previously hypothesized claims about attacker responsiveness to wide-publication research and the intentional tampering of relevant indicators. Many of these examples come from unpublished research and unwritten observations from the original researchers themselves. The ultimate goal is to introduce realistic directives for the consumers of threat intelligence to guide their expectations in relation to attribution so as to avoid the lure of sexy marketing and instead be able to leverage data useful for network defence in the commercial and government sectors.


Presenters:

  • Juan Andrés Guerrero-Saade - Kaspersky Lab
    Juan Andrés Guerrero-Saade Juan Andrés joined GReAT in 2014 to focus on targeted attacks. Before joining Kaspersky, he worked as Senior Cybersecurity and National Security Advisor to the President of Ecuador.
  • Brian Bartholomew - Kaspersky Lab
    Brian Bartholomew Brian has 15 years of experience in cyber espionage operations, reverse engineering, penetration testing, and incident response.  Before joining GReAT, he worked at iSIGHT Partners, the US Department of State, and also spent three years in the United Arab Emirates. @Mao_Ware

Links:

Similar Presentations: