The Cyber5 Podcast

EP87: Identifying When Attribution of Threat Actors Matters and How to Track the Outcomes

Episode 87 | Jan. 4, 2023

In episode 87 of The Cyber5, we are joined by senior information security leader Charles Garzoni.

Episode 87 | Jan. 4, 2023

In episode 87 of The Cyber5, we are joined by senior information security leader Charles Garzoni.

Here are the 5 Topics We Cover in This Episode:

 

1) Defining When Attribution is Relevant and Necessary

Many corporations are not overly concerned with attribution against cyber adversaries, they just want to get back to business operations. However, if someone robbed your house, you would want to know if it was a random drive-by, or if it was your neighbor because that will inform your defenses much more appropriately.

2) Defending Against Nation States Versus Crime Groups

The ability to attribute between crime groups and nation states has large implications on a defense posture. First, organizations need to conduct a victimology assessment against themselves to determine what actors would want to steal from them. Second, an organization should list out priority threat actors targeting your sector and intellectual property. Third, they should look for customized detections and prioritized alerts as the resulting output.

3) The Human Element of Attribution

Engaging directly with threat actors (a different kind of human intelligence-HUMINT) is critical in understanding the human element of attribution, such as their motivation, TTPs, and intent. For ransomware actors, understanding their past actions will inform future recovery and negotiation efforts, for example. Organizations cannot do this without having attribution. For nation states, geopolitical context is critical to understanding security incidents, not to mention the “how” and “why” they are moving in your network.

4) Public Disclosures of Nation State Adversaries Are Effective

Public disclosures and indictments are effective disruption efforts, depending on the nation state. For example, demarche and indictment efforts against China put them on their heels and have a debilitating effect because of how they want to be seen in the world. However, Russian state operators look at disclosures as a badge of honor. Disclosures by private sector companies also can have just as much impact if the goal is to have disruption.

5) False Flag Operations

While it’s easy to say you are someone else, it’s challenging to look like someone else. Adversaries think masking their infrastructure to look like another adversary makes attribution challenging. Fortunately for analysts, it’s very hard to mimic TTPs exactly like an adversary, thus making attribution easier for defenders. Adversaries would need to study how the TTP implementation works, and they typically don’t do that. For example, when North Korea attacked Sony in 2015, their actions mimicked the same attack against a South Korean bank a year earlier in 2014 that made attribution straightforward. While they tried to improve and encrypt their command and control in 2015, the session logs between the two attacks looked almost identical.

Listen to other podcast episodes

 

Read Transcript

CHARLES: Being able to detect an adversary as early as you can in those stages, reduces, I mean, it reduces the consequences of what that actor can do, and that’s lowering risk, as well as showing that you’re saving an organization from having to expend a vast amount of resources to recover from a major incident. 

 

Whereas if you detect and contain as soon as humanly possible, you’re reducing that risk, and I think you can show that, and I think a lot of organizations have shown that, “Hey, had we not detected this-“

LANDON: Right.

CHARLES: This would’ve been the outcome.”

LANDON: Welcome to the award-winning Cyber5 Podcast. Here we discuss the most relevant cyber and physical security challenges facing enterprise businesses today. I’m your host, Landon Winkelvoss, co-founder of Nisos, the Managed Intelligence Company.

LANDON: Welcome to episode 87, everyone. We have Deputy CISO, Charles Garzoni, with us today to talk about a topic that is very near and dear to my heart, and that’s attribution, which is certainly very controversial and even debated within the security space. 

Charles, welcome to the show. Would you mind sharing a little bit about your background with our listeners, please?

CHARLES: I’m the Deputy CISO for a, oh yeah, a large healthcare organization and the staff vice president for cyber defense operations. And I previously came to Centene from the FBI, where my last assignment was with the U.S. Cyberspace Solarium Commission, under Senator Angus King and representative Mike Gallagher, it was a bipartisan cyber commission. 

I also retired from the Air Force, Office of Special Investigations, where I spent most of my career as a cyber agent, working cyber issue before I was promoted to the point uselessness.

LANDON: Let’s get a level set of what attribution actually means. So I guess, providing that when we’re talking about cyber adversaries, what does cyber attribution mean to you and what’s the difference between nation-states and what’s the difference between crime groups? Because that’s what the real threat to the United States is, and to business and enterprise. Kinda walk through it.

CHARLES: I started taking note of attribution, I mean, years ago. When I first started out in cybersecurity, I was doing incident response, but I did a lot of forensics and forensic analysis

And so, back then we were kind of doing attribution, but it was super easy because if somebody threw a kernel level rootkit on a Unix box, back then, they would just sign ’em. Like, hacked by whoever, right? Guardians of Peace, we’ll use Guardians of Peace, that’s a good one. And so, they would sign their rootkits or whatever and then other people would grab the rootkits, and like, “Hey, is this the same guy using the same root kit “or is it somebody else?” 

Even trying to find, doing analysis on a bunch of boxes and trying to find evidence of someone who compromised that box was interesting. Because, I mean, we had a lot of, obviously had a lot of tools available at our disposal, but, in the different positions that I’ve had, but, as an analyst had asked me, “Hey look, I can’t find what we’re looking for on this box.” And I was like, “Search for curse words.” He was like, “What?” I was like, “Yeah, search for curse words.” They like to cuss. 

So he searched for like, different permutations of like leet speak and curse words and sure enough, he found the actors. Like he found their tool repository. And so going from that to large scale attacks against corporations and governments and, whether it’s nation-state or criminal, attribution has gotten a lot harder. 

But it’s been interesting over the years, it’s, if you’re doing, first of all, I think people have a misconception of what attribution is, right? People, I think, people have an understanding that attribution is when you come out and say, “China, you did this,” or “Russia, you did this.” But that’s a public disclosure of that attribution. It’s not the, actually doing the attribution. Even on the Solarium Commission, I engaged with a lot of folks about that topic, ’cause on the commission, my portfolio was like, ransomware and different authorities that we can use to kind of go after attackers. 

And I engaged in a discussion with Melissa Hathaway, who is like this legendary cyber policy person. And she was like, who cares about attribution? You know, my conversations with her were, well, do you not want to know the entirety of everything that happened to you? So if somebody robs your house, do you not wanna know who robbed your house? Because I think it’s important. If it was your neighbor, hmm, that’s one thing. If it was some random break-in, that’s another thing. But that tells you, also, how to protect your environment, right? Like, knowing that, getting down in the investigation of attribution is, I think, important to understand who’s attacking you, why are they attacking you? But mainly ’cause you can’t protect against, you can’t defend against everything from everyone all the time. 

And so you need to dial-in your defenses. So I think, I mean, attribution’s important for a number of reasons. Maybe you’re in an acquisition, a merger and acquisition action, maybe you’re, or divesting, maybe you’re in negotiations with another country. It could be maybe there’s a certain set of actors that you’ve attracted for whatever reason. The why of attribution is important. I think it’s difficult sometimes separating between nation-state and criminal activity.

LANDON: Okay, so if China is attacking you or Conti or a ransomware group is attacking you, or any type of crime group, how are you gonna ultimately look at, like, you made a very good parallel of, is it somebody random that is just rattling the knobs and your door was unlocked or is it actually your neighbor. You’re gonna defend your house much differently. Take that path into crime groups versus legit APT nation-states.

CHARLES: So attribution, I guess, I mean it’s also important, sort of in the beginning stages of when you’re initially detecting attacks, like, you go spear phishing or whatever the initial means, is somebody scanning for vulnerabilities. As a way of dialing in your defenses, I think you kind of need to understand, like, what tactics the adversary’s using. So you might want to have like, priority threat actors, for example. So we work with a consultant who uses, like, the priority threat actor example, which is a great example. 

So it’s, but understanding what a priority threat actor to you would be is. So you need to do a victimology on yourself. Victimology is sort of a huge step in the attribution process. But so understanding who would come after you. What do you have that they would want? So listing out which groups would go after you for the things that you have would sort of make them, I guess, priority threat actors or whatever your terminology would be. But then understanding their campaigns, their IOCs, their TTPs, how do they implement their campaigns against their victims? And then being able to, and I think that’s important, for being able to write custom detections.

LANDON: Um-hmm.

CHARLES: For being able to prioritize alerts. So the IOCs generated from the campaigns, and then looking at the overall TTPs of those groups, I think is super important for defending your network.

LANDON: Okay. So you, you’ve established who’s trying to attack you. Before we kind of go into the outcomes, I’m just curious is, is the human element to attribution ever important?

CHARLES: I would say always. I think the difficulty there is how do you get that-

LANDON: Sure.

CHARLES: Information. In a lot of the cases I’ve worked, it was humans that came in to save the day. It was getting, and a lot of it was context. That human was the context. And that’s a lot of that, obviously that’s a lot on the, on the private sector side that we, we don’t have typically. I’ll say typically because there, I mean, there are some intel companies out there that have folks all over and do have some human sources. But I think it’s one of the most important things to have, But I think it’s one of the most hard, it’s probably one of the hardest things to get.

LANDON: Sure.

CHARLES: At least on the private sector side.

LANDON: You ultimately had, to the human intelligence angle like, take any cyber crime act or you’re able to actually find that down to a human individual and you find out oh, that person is actually a low, a modest and junior developer with not a lot of technical skill. Maybe we shouldn’t prioritize him as much. Is that really the, would that be a fair calculation in enterprise or is it really just about controls and just keeping the doors locked, so to speak?

CHARLES: Well, I mean, I think it’s a little bit about both, but you still need context, right, so.

LANDON: Correct. 

CHARLES: You know, now if someone is maliciously coming after you and doing disinformation campaigns against you, I mean, you’re back to understanding the entirety of the incident, right? We’ve seen actors like, standup domains, and then it, of course, and it looks like kinda your domain and they attack you from that domain. But I think getting back to, there’s gaps obviously, that we have when we’re doing these investigations because you, I mean, you either need to initiate a lawsuit, get a subpoena to capture some of that information to track back, but you can also, I mean, do a lot of that yourself. So like, infrastructure, tracking down infrastructure and things like that. 

But if someone is doing a disinformation campaign, and especially if you have lawsuits going, understanding that entire context during an attack is, I mean, it’s super, super valuable because now, when you get deposed, you’re gonna have to, you have other information, other than just the attack itself. You have the entire context, “Hey, there’s this, you know, “we’re involved in a lawsuit and there’s a group “that’s been attacking either, could be your CEO, “it could be whoever.” But I think that’s, again, you’re trying to go down the path of getting that context.

LANDON: You’ve identified what actors are likely to target your organization or your industry, whatever, there’s different flavors there for each, right? You set your defenses, you allocate for the tools you want, the data you need, and then you’re in the heat of battle, so to speak, for lack of better words. Obviously it depends on the scale of an organization. If you’re over a billion dollars, you’re going to be facing a lot bigger scale of, than companies that are smaller. What are the outcomes that you generally want to prioritize?

CHARLES: Maybe we can take the ransomware example, right?

LANDON: Yep.

CHARLES: So typically you’re gonna start doing attribution immediately, once there’s some kind of incident, right?

LANDON: Um-hmm.

CHARLES: So not all ransomware actors are gonna identify themselves immediately.

LANDON: Right.

CHARLES: Some of ’em do, some of ’em don’t. But you’re starting to do attribution right away. If you get a note from an attacker or there’s communications from an attacker, understanding how that actor operates and who that actor is is super important for what we’re gonna do next. 

So for example, we’ll maybe we’ll immediately start negotiating with the actor. While we’re doing that, we’re trying to ascertain, okay, so who is this actor? What are their general TTPs when it comes to attacking organizations? Do they typically, do they exfil first and then launch their ransomware to encrypt stuff? I mean, do they just do extortion, are they doing double extortion? Are they doing third party extortion? So that’s, the third party extortion is interesting. For example, if I know that typically the actor doesn’t exfil first, and I just have to make decisions on what are the follow up actions. So if I just need to decrypt stuff, that’s one thing. Am I gonna pay to do that? Probably not, but, or are they extorting us from the data? If they say, okay, we stole data, what is that data and how valuable is it? And if they release it, are there gonna be like, catastrophic like, consequences? 

But you’re assessing in each phase of that incident, who is it, what are their goals, what are they trying to do? Are they just trying to liquidate assets fast? They just wanna extort you over the PII, your PII, PHI, whatever it happens to be, and what do you do next? And so I think we use it to inform our decisions, sort of moving forward. But again, you can’t do any of that unless you understand who the actor is, what their TTPs are. You know, attribution is a buzzword, but you’re doing it all the time, right? You’re actually doing attribution all the time. Now you may not send out a fancy report, like, oh, we assess with moderate confidence, ’cause everybody says moderate confidence, we assess with moderate confidence that this actor is doing X, or did X, Y, Z. But you’re doing, you’re actually doing that attribution all the time, from when the SOC first gets the alert, you’re, because you’re trying to understand the nature of an incident. What is happening, what could happen, what are the potential consequences? And I think you’re constantly weighing those all the time, especially in regards to ransomware.

LANDON: Give me the 30-second to a minute rundown on if it’s a nation-state, which is just going to be like, look crime ware, crime groups, you can put up the defenses and they’re gonna go somewhere else ’cause they got an ROI return.

CHARLES: Yeah.

LANDON: Nation-states, as you know, we are both former government, they just don’t think like that.

CHARLES: Yeah, much, much different, right? I mean, with ransomware actors, it’s fast, fast, fast. ‘Cause time is money, it’s commodity in a lot of cases. For nation states, it’s going back to victimology. What do you have that like, and say you did all that. 

A nation state, if they’re going low and slow, right, it’s much more difficult to detect. There’s gonna be a higher, typically a higher dwell time. You know, you might catch ’em by accident, you might, maybe you have good defenses. But either way, I mean, attribution for nation-state is still, I think, applicable to most folks because like, are you doing an acquisition in a foreign country, for example? I won’t mention any country names, but-

LANDON: There’s always context of why they’re doing what they’re doing, is that fair to say?

CHARLES: Absolutely, right, so-

LANDON: It’s geopolitical context, I mean a lot.

CHARLES: And I think that’s a huge point you just made. And I think that’s, I think we as cyber folks, sometimes tend to forget that, what is happening around the incident, not the incident itself, but what’s happening around that incident. What are the socioeconomics, geopolitical, what are those types of activities happening that could inform what’s happening? 

If you’re doing a merger and acquisition in a foreign country, the chances are that foreign country’s gonna be super interested in, whether they’re trying to get a higher position in negotiating, on the negotiating table or whether they’re trying to stop it. Maybe just put a wrench in that acquisition. But either way, I mean, I think it’s, and it depends on who you are. If you’re if you’re a clear defense contractor, like a CDC, then there’s a lot, I think there tends to be a lot more at stake for you understanding immediately right off the bat, like, who’s coming after you. 

Are they after PII, PHI? Like, are they after, and why are they after that? Are they, do you have government contracts, or is the adversary after getting medical information, are they-

LANDON: Um-hmm, um-hmm.

CHARLES: And I think, and again, understanding that is super useful for trying to figure out, again, how do you defend against that?

LANDON: Is public disclosure of nation-states ever effective in your opinions?

CHARLES: I’m laughing because, so yes, right?

LANDON: Oh, interesting.

CHARLES: But everything surrounding it is gonna inform that answer. So, it depends on who, and like I said, as cyber people, we don’t always think about the outlying implications of what’s happening in the world at the time. 

But I think it’s important to, I mean, the public disclosure, is it a, are you using it for a foreign policy tool? Are you using it for, to hold someone accountable? It’s, indictments and things like that are all part of that toolbox. And I know we, so I was involved with some operations in the past where the State Department was the hero.

LANDON: Um-hmm, oh wow.

CHARLES: Because they demarched a foreign country and it just had an unbelievable effect of back, like watching the backpedaling.

LANDON: Oh wow, interesting.

CHARLES: From that country. They’re backpedaling, they’re like, baseless, groundless accusations.

LANDON: Yeah, so wasn’t it you know, the CIA, wasn’t FBI, it wasn’t, the private sector companies investigating the incident is actually the State Department who is the diplomatic arm. And I’m sure there’s a public disclosure from some regard who actually had the most impact.

CHARLES: Right.

LANDON: To disruption.

CHARLES: Yeah, I mean, but that demarche, the simple act of the demarche, really hit them because that specific country doesn’t, they don’t like to be called out. They don’t like to be named and shamed. And I don’t think we realized that back in the day ’cause you know, we’re all doing fancy cyber stuff in the way that fancy cyber people do it, I guess. And so I had to go back and sort of assess what some of the operations that were occurring was. Okay, did anybody have any effect? 

It’s like, yeah, the State Department’s the hero in this case. And most people don’t even know what a demarche is.

LANDON: Sure.

CHARLES: But it was that simple act by State Department. And so that public disclosure, in that case, was super effective, right? It was setting the stage. It was telling the world, “Hey, hey country, “we know what you’re doing and it needs to stop, “or there’s gonna be further consequences, right?” 

I mean an indictment is also a, right, a public disclosure. So I mean, if you’re just doing a sealed indictment and then you’re not gonna make a public announcement, that’s one thing. But if you’re gonna do a public indictment, that’s also sort of a public disclosure sort of. You’re also, you’re naming and shaming, but I think there’s an added benefit of, “Hey, country X, we’re gonna hold you accountable. “Like, we did an investigation, we know what you did, “we’re gonna hold you accountable.” 

I don’t think that’s, I mean in the, in the list of, in sort of the toolbox of cyber operations, that’s definitely a huge thing in that toolbox, right? I mean, DOJ has to, they’re gonna make sure that we’re holding people accountable-

LANDON: Sure.

CHARLES: For their actions, but sometimes we don’t want people to know that we’ve made an attribution. On the private sector side, obviously, it’s, you naming that attribution probably doesn’t have much of an effect. But if the government does it, that’s different. ‘Cause there’s, I mean there’s policy implications, there’s foreign relations implications, probably not a lot of benefit for a private sector organization to name that, unless you’re like a cyber threat intel company. And then you gotta do it all the time.

LANDON: Right right.

CHARLES: And you can’t be wrong.

LANDON: Right, for sure.

CHARLES: You’re gonna get bashed if you’re wrong. And I mean it’s a lifecycle, like attribution is a lifecycle intelligence process. It’s not, an attack happens and you’re gonna come out three weeks later and say, “Oh, these people did it.”

LANDON: And that’s, that was like the underlying question of where I was at, where I was going, right? If the State, does a private sector company attributing, have the same impact as the State Department?

CHARLES: Again, I think it goes back to context, it can. So if you look at the APT1 Report, I mean, man, huge effect, right? I think that had a huge effect. And it was the first time anyone had really, a private sector company had come out. But everyone knew who, Mandiant was in this example. Like everyone who knew who Mandiant was, they had a great reputation.

LANDON: Right.

CHARLES: And they were, they were wrong, right?

LANDON: Sure, right, right.

CHARLES: They backed it up. They backed those accusations up and it was really, I think, life altering for the cyber community. And I think it was part of that effort to set that stage of making the world aware that this was happening. Because I think previously, like, most people had no idea China, Russia, Iran, North Korea was hacking us. Like, you’d hear about it now and again, but it was like, government spy-versus-spy type stuff. It’s not a private sector threat intel company coming out and saying, “We know you’re doing this.”

LANDON: At a relentless pace.

CHARLES: Yeah, here’s the TTPs. And now you’re giving people a chance to defend themselves by looking for those TTPs. But I mean there was a lot of, I think there was a lot of uses, but we said they’re outlining their TTPs to help you with your defenses, and then they’re kind of naming and shaming, right? And they’re publicly outing these campaigns that have been happening against the U.S. for years.

LANDON: I wanted to ask that question, because I think a lot of people see attribution as like, “Oh, they’re just marketing themselves.” And look, I mean, I’m not, not to say that we’re guilty, the private sector companies aren’t guilty of that.

CHARLES: There have been a couple that that did that and they did it so poorly.

LANDON: Correct, well then I, but yeah.

CHARLES: Blew up on their face.

LANDON: A hundred percent, right, but I was just very curious on how it actually does have an impact, and what’s, what’s the proper way to ultimately have an impact, and I think I got it.

CHARLES: Yeah, I mean it’s, what’s the goal you’re trying to accomplish, but-

LANDON: And I think that’s, I think if every private sector questioned, honestly asked that, I think that that would probably, you’d see, it would be much more effective.

CHARLES: Yeah, I mean, and in a lot of cases when I deal with foreign countries, you’re dealing with spies. You’re dealing with foreign intelligence services, who are, who have trade craft. And they tend to go with what they know a little bit. So there are TTPs that you can follow, even though they change ’em. 

But I think it’s still super important because if we previously didn’t know something was happening like that, like the Mandiant APT1 Report really set the stage for that to happen across the board when people have information to share that. And I think sharing information with each other, is the best defense we can get. And not information sharing for the sake of information sharing, but actionable information that, I don’t wanna use the actionable intel.

LANDON: What does actionable mean in the private sector, right? I mean, I think in the intel community that means one thing, that means somebody is ultimately going to react to that information or do something with that, somebody else is going to do something. What is that, that means, it’s something very different, I think, in the private sector. I’m kind of curious here.

CHARLES: And I don’t know that it’s super different. I mean, you do wanna report to law enforcement. You do want to get help when you’re facing an incident. But I think it’s also important to have that industry outreach because, one thing the government doesn’t really do well, is consolidate information and then generically share that out.

LANDON: Right.

CHARLES: Like, I think the government, I mean, well there’s so many cyber incidents, how do you-

LANDON: How do you do, how do they do that better? That would be so amazing.

CHARLES: And we’ve been trying to like, for years, get that better. Like, is there a server that somebody stands up and it’s like we just transfer stuff via STIX and TAXII?

LANDON: Yeah.

CHARLES: Like, or is it the whole threat? Like the, how do you, the actionable piece is you want to defend your networks, but you need the information to do that. And maybe you don’t have the expertise either, but I think the actionable part is getting that information and then implementing it so that you can gain visibility into what’s happening on your network, right? But to ascertain, is an adversary trying to impact your network? With TTPs that maybe, right now, you can’t detect, and then but once you dissect those TTPs and then put those into your tools and then, okay, so this is how I’m gonna be able to detect that activity. So I think that’s what actionable would be.

LANDON: Right.

CHARLES: But it’s also, again, sharing that information with the intelligence community and law enforcement.

LANDON: I’ve seen more mature companies take actionability, as in like their reporting and detections actually show how you reduce dollar loss. Is that possible, or is that really, is that rare that you see that level of maturity?

CHARLES: My sort of strategy, is sort of detection, detection, detection. Like, do everything you, I mean, there’s no perimeter anymore. Like, I mean there is, but it’s a thin veil, right? It’s okay, you put a lock on your door, great. If somebody wants to get in, they’re still getting in. But being able to detect an adversary as early as you can in those stages reduces the consequences of what that actor can do. And that’s lowering risk, as well as showing that you’re saving an organization from having to expend a vast amount of resources to recover from a major incident. Whereas if you detect and contain as soon as humanly possible, you’re reducing that risk. And I think you can show that. And I think a lot of organizations have shown that, “Hey, had we not detected this, “this would’ve been the outcome.” Like, “Okay, our file shares would’ve been encrypted, “we’d have spent the next three weeks-“

LANDON: Yeah.

CHARLES: “Trying to decrypt that, but we detected the actor “like, you know, within a couple hours “of them gaining access “and then started throwing blocks in place.” So, I mean, I think it’s palatable and I think it’s easy to show that.

LANDON: When you talk through attribution, there’s a lot in the media made about false flag operations between different adversaries, kinda walk through that.

CHARLES: I mean, I think we mentioned about the, the Sony war, but that, the whole sort of Guardians of the Peace issue. If you remember the Guardians of the Peace claimed responsibility for Sony. I mean, of course we all knew it was North Korea. I mean that is like the basic, I think, version of a false flag. There are adversaries who try to make it look like they are other adversaries. And that issue is, we tackle that issue a little bit in a number of situations. But 

I think it’s, usually an adversary will see another adversary compromising an organization and then they slide in behind them. I’ve seen that more than anything, of them using another adversary to piggyback off of an attack, which makes attribution, very difficult, right? And we’ve seen that a couple of times where, okay, now you’ve got an adversary, so coming in from totally different infrastructure, doing different things inside the victim organization. I think we see more of that than anything else. But we’ve also seen adversaries try to make it look like they are other adversaries. And I think that is very hard to do, where I think it’s easier to follow another attacker and kind of make it look like you are them. But I think it’s very difficult for one actor to do an attack in the same way that another actor did it. 

Most likely, most actors have bad OpSec, right? I don’t think they’re not looking at OpSec and they don’t necessarily study the implementation of TTPs, which I think that’s, if you look at the structure of attribution, you’re looking at victimology infrastructure tools and then the implementation of those tools onto a victim organization. But I don’t think a lot of adversaries, they don’t really study the TTPs, in depth, of a competing country or even another country that’s friendly to them. So I think it’s very difficult. I think, but those false flags, obviously, it’s designed to try to fool you. 

And I know people wanna rush judgment to attribution, they wanna rush that attribution. And I can’t count how many times like, the White House would ask, “Hey, okay, who did this?” We’re like, “Hey, do you mind if “we do an investigation first, “or you want us to throw dart to the dart board?” And like, they’re like, “But you said, you said China.” I’m like, “Okay, we said low competence China, “we didn’t say it was China, we said low competence.” And they’re like, “Sanctions.” We’re like, “Wait a minute, “let’s finish the investigation first.” But I think those false flags are trying to do just that, right? They’re trying to lure you into taking impetuous action against another adversary that’s not them. It’s easy to say that you’re someone else. It’s very hard to actually make it look like you are someone else.

LANDON: Why is it so challenging to actually look like somebody else, at a more technical level?

CHARLES: I think you would have to study the way that the actor that you’re emulating implements their TTP. You would have to follow their entire process of how they do victimology.

LANDON: I mean, do you really, you almost need a copy of their sessions from command law. I mean, that, you don’t get that.

CHARLES: No, right? I mean, I agree, I mean, on the technical side, I think that’s the challenging part. And that’s why actually, for the Sony incident, it was actually very easy to figure out who the attacker was, because it was all the things surrounding that incident that informed attribution. It wasn’t, the technical piece of it, we looked at that, but there was a previous attack on South Korean banks and broadcasting stations that we dissected that attack a year prior. And we’re like, and we knew who the adversary was.

And then when Sony happened, we looked at the attack pattern and we’re like, they fixed every deficiency in their attack pattern that we identified a year ago. Like these are the same, the same people. I mean, we already had kind of an idea that it was probably the same actor. But when we dissected that previous attack, well like, they fixed, like, they encrypted their C2, whereas previously they didn’t, they were making like bonehead level mistakes and it looks like they just kind of closed that OODA loop in their development cycle and fixed everything that was wrong. 

But did things in, they implemented those TTPs in a very similar manner. And that’s what informed us. But I mean, other adversaries typically don’t, I don’t think they do that kind of analysis, right? Like, and I think it’s hard to do that analysis unless you have the malware, you have logs like, so the, the other country would have to steal all that stuff, typically, unless they were cooperating.

LANDON: If it’s that hard, then why even try, why even take the time and resources to try to do it?

CHARLES: It’s misdirection, right? I mean, adversaries tend to go with what they know. And I think I mentioned that before, too, but they have a set way of doing things in a lot of cases. And the real difficult piece is when you get a random actor, comes out of left field, and using new TTPs, new infrastructure, new ways of implementing those TTPs onto a target, and now you’re like, starting from scratch. Without an adversary, like studying another adversary in great detail. you just can’t implement the same, like, you’re not gonna implement those TTPs onto a target in the same way.

LANDON: Charles, pleasure being on the show. Thank you for all your, thanks for the past hour. I enjoyed the conversation and congratulations on the success, going from public sector, to private sector