Stu t18 a

Session ID:

Session Classification:

William Gragido Sr. Manager, RSA FirstWatch

RSA NetWitness

STU-T18A

Intermediate

Link by Link: Crafting the

Attribution Chain

► About Me

► What is Attribution and Why Should We Care?

► Types of Attribution

► What We Gain Through A Better Understanding of

Attribution

Agenda

► Before we jump into attribution analysis let’s talk cyber attack for a moment

► Cyber Attacks are:

► Imminent

► Well understood…sometimes

► Common

► Sophisticated and non-sophisticated

► Criminal, Subnational and State Sponsored…sometimes all three

► Motivated by political, philosophical, monetary and diplomatic agenda

► Equal opportunity driven as the Internet is free and price of admission right

► Global occurrences that touch us all in one way or another

► Can impact everything that means anything to us: our enterprises, our brands,

our livelihoods, and way of life

► Cyber attacks are serious business and often misunderstood at the macro level

What is Attribution and Why

Should We Care?

► What is really under attack during a cyber attack?

► An asset?

► A person?

► A system

► An entire ecosystem?

► Is it the certainty; the trust we place in these assets and

personnel that is under attack?

► Cyber attacks are psychological attacks

► Complexities that arise from our natural desire to favor certainty

(feigned or real) in the face of conflict*

What is Attribution and Why

Should We Care?

► Attribution is often discussed in the literal, HUMINT ‘who

done it’ manner

► It’s also often quite misunderstood due to the absence

and omission of psychology in the chain establishment

process

► Establishing ‘linkage’ or relationships is paramount in

establishing attribution

► Mature attribution can lead to effective deterrence

► Active Defense anyone?

What is Attribution and Why

Should We Care?

► Attribution is the assignment of ownership of a threat act

or action to a threat actor or agent

► Question: Do people care more about the threat act or

action? The actor or agent? Or both

► Discipline of Psychology offers a few key definitions to

consider as we discuss attribution

► Explanatory Attribution

► Answers the question ‘why’ someone does one thing or another

► Interpersonal Attribution

► Answers the question ‘why’ something occurs when 2 or more

causes are present

What is Attribution and Why

Should We Care?

► One of the greatest challenges defenders of network

environments and investigators face today due to

several factors

► Stateless nature of the Internet

► Volume of data so great that it could never be recorded en mass

making comprehensive analysis of the Internet and threat actors

infeasible

► Price of admission to the Internet – no permission is necessary

or can be granted / revoked

What is Attribution and Why

Should We Care?

► Not a trivial matter

► Proven the identity of a threat actor or agent requires a great

deal of work and evidence in addition to collaboration between

investigators, victims and law enforcement

► Potential for proclivities regarding the adversary to cloud vision

and sound judgment that can complicate conclusions regarding

attribution

► Leads us to conclude that attributing the identity also, at times,

leads us to infer the intention of the threat actor or agent

What is Attribution and Why

Should We Care?

► Four principal concepts to grasp when beginning to

consider attribution:

► Ownership (Machine(s) used in threat act or action)

► Location (Geo Intelligence)

► Threat actor or agent (HUMINT)

► Aggregate Identity of individual or group

Types of Attribution

► There are two core types of attribution that investigators must be concerned with:

► Technological attribution

► Human attribution

► Broken down in a bit more detail these forms or attribution answer the following

questions:

► Who?

► Why?

► How?

► From Where (Geo Intelligence)?

► Frequency

► Stages of attack / IOCs

► Evidence / Artifacts

► Infrastructure (C2/ Covert Channel)

► Threat actor / agent

► Affiliation

Types of Attribution

► In order to establish concrete Attribution one must

establish: ► Agreement

► Amongst multiple parties

► Corroboration

► Uniqueness

► Signatures

► Approaches

► IOCs

► Be ware the false flag!

► Regularity

► Frequency

► Repetition

► Execution path

Types of Attribution

► A clearer picture of who the threat actor or agent is and

what their intentions are toward ourselves and others

► An opportunity to share intelligence within the research

community

► Provided we can circumnavigate the cultural, legal, and national

security impediments that present themselves from time to time

► The opportunity to better prepare ourselves for the next

encounter with a threat actor or agent

► The opportunity to seek criminal (where appropriate

based on jurisdiction) prosecution for damages

What We Gain Through A Better

Understanding of Attribution

Questions & Answers