Podcast transcript: Does threat attribution matter?

This automatically-generated transcript is taken from the IT Pro Podcast episode ‘Does threat attribution matter?’. We apologise for any errors.

Adam Shepherd

Hi, I'm Adam Shepherd.

Connor Jones

And I'm Connor Jones.

Adam

And you're listening to the IT Pro Podcast where this week we're talking about the importance of attribution.

Connor

Large scale cyberattacks are becoming increasingly common. And it seems that whenever one is discovered, it kicks off a flurry of speculation as to its origins, with mysterious code names like Fancy Bear, DarkHotel and Bronze Edison used to identify recurring groups of hackers, pointing fingers at the perpetrators of cybercrime is a key priority for many security professionals.

Adam

But why do researchers and security analysts invest so much time and energy into tracing attacks back to their source? Joining us on the podcast this week to talk about some of the methods used in the process of attributing hacks, as well as why attribution can only offer so much help, is Don Smith, Vice President of SecureWorks' counter-threat intelligence unit. Don, thanks for speaking to us today.

Don Smith

No, it's a pleasure, looking forward to it.

Adam

So Don, to start off with, why does attribution continue to be such a focus in the world of security? What kind of advantages are there to being able to identify the perpetrators of cyber attacks?

Don

Yeah, it's a really interesting question. And I very often ask myself, that that very question. Why do we put effort into into attribution? Why is it important? And, you know, there's part of me that thinks attribution is is unimportant, it's, it's there as part of an emotional response, a victim wants to know, who is it, that's been, you know, trampling in the network, who's been who's burgled their house, so to speak. And there is a certain set of phases that victims go through where initially, they want to know who - and the press, as you indicate, are very thirsty for who. And then you arrive at someone like me, that runs a fairly large scale Intelligence team. And we know that we want to attribute not necessarily to a human entity, but to an intent, to a cluster of activity, so that if we see aspects of that same cluster of activity again, we can say to customers, we think this is Chinese espionage, we think this is disruption, we think you're about to be ransomwared. So it's very, very important to attribute to a degree, attribute to you know, what, in the old days, we used to call intrusion set, to these names that security companies come up with, attributing beyond that clustering to, to individuals or organisations or countries is much, much harder, because of the aperture that we do or don't have as security companies compared to, say, the intelligence community. And the benefit is, you know, bluntly, not as tangible to us in terms of our effort. So what you will find is, there's an awful lot of effort goes into, you know, attributed to the clusters, less so to attributing to individuals, with the one notable exception of governments, where it's very important to have attribution for some of these attacks. Politically, it's very important for the FBI to be able to indict people knowing full well, they're never going to arrest them. But that allows the US government to point out to China or Russia and say, We know who you are, we can track this. And in the broader political debate, we can point fingers at you and say, Come on, can you please stop this? That's a wee bit of a rambling answer. But you can see that there are phases of attribution or how deep do you do your attribution? And then there are different rationales as to why you're doing these different bits of attribution.

Connor

Sure. So how does attribution work? How do you, how do you approach it?

Don

Yeah, so with us, with SecureWorks, and with many others, similar to us, we use various different sort of structured decision making things. The diamond model of intrusion analysis, most people will be familiar with, where you have four vertices, you have actor, you have tooling, you have infrastructure, and you have victims. So if we see common infrastructure and common tooling, targeting inter-governmental organisations consistently, for example, we can then say, well, we don't know anything about the actor here, but we can infer that there's a cluster of activity, which is using the same Internet facing infrastructure. It's using the same malware and it's targeting very, very similar victims. So let's loosely couple couple this together. And in the past, particularly for hostile state actor groups. It was, I wouldn't say relatively easy, but there was a lot of bespoke malware used, which meant that you could almost directly couple use of, you know, say, Xagent to Iron Twilight in our language, Fancy Bear in other people's language. Increasingly, these days, the bad guys are living off the land. So LOLBins, they're using tools that are present on most endpoints. And, you know, intrusion frameworks like Cobalt Strike. Because, you know, fundamentally, if you're a hostile state actor, and you get discovered, you failed, because the whole point of your covert action is that you're conducting espionage and you're not discovered. So the bad guys have worked this out. And also, Cobalt Strike is a great framework to use, where we're seeing increasing reuse of tooling. And indeed, recently, the hostile state actors are starting to learn from the large scale e-crime groups where sometimes the first stage command and control infrastructure that the malware is talking to, is compromised SoHo routers, and there's lots of reasons for that, you know, first, first hop being in country, so on and so forth. But it's getting increasingly hard to attribute from the tooling perspective, starting to get slightly harder, but not massively hard, from an infrastructure perspective.

Adam

So you've mentioned kind of some of these already, but what are some of the main barriers that can get in the way of accurately identifying who's carrying out an attack?

Don

Yeah, so I mean, if I take a step back a number of years and think about a threat group that we would call Bronze Union, others might describe them as Emissary Panda. And later on, we'll probably get to how do you define the edges of these buckets, but that's a different story. They were an interesting group for us, we were very well sited on them because of a number of key customers, who were clearly on the whiteboard of some part of China, and there was repeated attempts to get into their networks. But what we could see was a very mixed intent. We could see them targeting inter-governmental organisations and NGOs. And we could see them targeting the American defence industrial base. And it was a bit of a head scratcher, you know, like, which part of the Chinese government has both of these things as as kind of a targeted? So you, you look at this, and you ask yourself the question, Why could this be? And there's, there's at least three candidates here. One is that yes, there is a part of the Chinese government that's interested in all this. The second one is that there is a subcontract landscape in China, just as there's a subcontract landscape in the UK and in the US, where there are large scale IT providers that are doing work for the government, and this may well have been outsourced. And it may just be that one of these outsourcing organisations has picked up two different projects, and they're happened to reuse, reuse some tooling. And then you have a third candidate, which is, of course, the concept of a quartermaster where, for example, in China, is there a digital quartermaster who's building, you know, an entire warehouse of tooling, which actors with different intents can come in and sort of check out their malware, check out some operational relay boxes, and for years, I think, was it Trend Micro, maybe over a decade ago, Ned Moran and Nart Villeneuve, I think, put out a report on the digital quartermaster. And more recently, our ShadowPad reporting. I think we put some of that out publicly in January or February, where we are seeing the ShadowPad malware being reused by multiple groups with multiple different intents all from China. And we're seeing slightly different mechanisms in the way it's been launched, once it first arrives on on an endpoint, and that's allowing us to partition the activity. And when we partition that activity, it very neatly allows us to actually attribute these different clusters of ShadowPad to different parts of the sort of Chinese adversaries that that we're looking at. So yeah, so we've got subcontractors. We've got reuse of infrastructure. We've got a potential digital quartermaster, and I guess there's a fourth one, which is of course digital false flags. And in the case of the attacks against the Winter Olympics, it was pretty clear that the Russians were trying to false flag their actions as North Korea, which didn't go very well for them because it was very obvious.

Adam

I think NotPetya as well is a great example of that; stuff that was written to look like ransomware, while in fact just being a data scrambler.

Don

Exactly, yes. And if you, it just took a very quick look from a competent malware reverse engineer to say, there is no way you're getting any of this data back. This is this is disruption. This is this is not, the intent isn't monetary gain, the intent is something different here.

Adam

So I just want to touch on something quickly, before we move on. We've spoken a lot about nation state linked groups, and kind of large scale e crime gangs. But what is the kind of crossover between those two groups? Is the practice of subcontracting kind of off the books, if you like government, kind of offensive cyber actions, to these groups, does that muddy the waters a bit when it comes to accurately attributing some of this activity?

Don

It can do and varies, it actually varies by country because of the way that they're structured. In the case of say, Iran, it is definitely not uncommon for people who are targeting sort of national security objectives to also be doing a little bit of ransomware on the side, which is not directed from the state. And our reporting on Cobalt Mirage, which you may have seen, that came out recently is describing one of these groups, so you've got that kind of scenario. In China, I guess, similarly, we've seen a little bit of freelancing historically, particularly in gaming companies, by, you know, people who would be normally associated with an espionage intent. For more recently, and again, we've put this out publicly, the Bronze Starlight reporting, we've seen ransomware actions occurring, where we actually believe that it's a cover for the espionage activity. So if you ransomware an organisation, their focus is on cleaning up from that, rather than understanding that they'd had someone in for a period of time previously, that was taking data. So yeah, they, the relationship between the state and the actors, is fuzzy. Of course, I'm sort of wryly chuckling because we're talking about the challenge of attribution. And obviously, smart journalists, like yourself Adam, have asked me some of the hardest questions about attribution in the course of it. And then you come to Russia, it's, it's a bit more opaque. Again, our direct observations, our ability to track back up and understand what is going on there is is very difficult, you know, I'm not the NSA, I'm not GCHQ. ContiLeaks, gave us, gave us some sight of that. And we've and we obviously have an aperture, which gives us some breadcrumbs over the decades of how these large scale criminal gangs are operating. And you don't have to read too many books about Russia to realise that you cannot be a large scale criminal gang operating in Russia without some kind of tacit approval or sponsorship or, you know, money changing hands with with the state, you know, as many have said, Edward Lucas, Luke Harding, Russia is a mafia state. There's a big difference between between that, which is, you know, ongoing acceptance and other such stuff, of, of criminality in your country, and direct tasking of the, the actors towards, you know, a national security game. I think in Russia, we still have, certainly, with the SVR, a sort of legacy of historic kind of KGB, where they're remaining aloof from some of this, the GRU are obviously have got a military intelligence focuse and the FSB are sort of stuck between the two of them. And there are definitely some links going on there. But I think the the Russian state actors are likely to be in control of what's going on. And plus there has been some evidence of limited tasking through the big e-crime malware families; I think very much these should be regarded as something separate from the state, which is something which very frequently gets blurred in the media, particularly when Russia invades Ukraine. And someone thinks that all the banking botnets or loader botnets are going to go after the West.

Connor

And can I jump in and ask about sort of the different degrees and the different thresholds of confidence to which you can attribute attacks to get for given strains of malware or things like that? Because, you know, in my, in my time as a security reporter, I've read countless sort of write ups of different attacks and CVEs and stuff like that. And we sort of often see, like, different reports, say, with medium high to high confidence we can, we think it's this threat group or with high confidence, we think it's another threat group. And I know we've talked, we've spoken about, like, the different things that you're analysing when you're looking at an attack, like sort of common infrastructure tooling, common victims. So yeah, what so yeah, what can you tell me about how the different thresholds are applied?

Don

Sometimes you're, sometimes you're very lucky. So I'm not going to answer this in terms of thresholds, apologies Connor. But if I give some examples, you find a very unusual password being used, and perhaps a very unusual account name that's been created by threat actor, what are the chances that the same threat actor is landing on a server and creating a highly obfuscated account name, assigning exactly the same privileges, looks like they're operating off a script, and then assigning a bizarre password, which you would never, never chance upon, you can say with a very firm degree of confidence that the human operator behind this is the same human operator. There are other traits. People having favourite places to store their tooling. So we had one instance where there was a particular Chinese group where the folks liked to store their drivers and their malware in the folder, the sort of default folder that is always created on laptops by vendors, you know, so there's a, there's a C:/HP, there's a C:/Dell, there's a C, whatever, Lenovo, and they were dropping their tooling in there. That's probably one that's more reused. We had fun with that one, when a particular, again, highly targeted organisation replaced all of their HPs with Dell. And the threat actor re-compromised them, and continued to create and dump their tooling in a C:/HP folder on a Dell computer, which is a bit of a giveaway. So you sometimes get some really golden nuggets there; the best ones are obviously where there's an OpSec failure, where the bad guy forgets to fire up his VPN, where they leave things open on their command and control server, where there are traces of details of their build environments and the paths in the PDB strings. A great one for Iranians is that obviously Iran uses an entirely different calendar to us, you can see dates, which are in a different calendar. So at this point, you're you're just always looking for little traces of things where you can say, Oh, that's a bit different. And then track it. Right now, there's a couple of ransomware gangs that we are very firmly tracking based upon the hostname of the machine they use to connect to RDP servers, and we're like, oh, it's it's that host name again. Okay, we better talk to this customer. And because they have 24 or 48 hours to evict this threat actor or they're gonna get ransomwared.

Adam

So I just wanted to quickly pick up on the question of names. There's a lot of different kinds of names and classifications that gets thrown around for threat actors and APTs, you know, whether that's kind of numerical codes or, you know, the slightly fancier ones. But every security company has their own, you know, whether that's Fancy Bear or Bronze Emissary or, you know, any of these these kinds of different kind of modalities for for naming. Does that ever create any confusion when you're trying to educate the wider industry about these threats?

Don

It absolutely does. And I think the biggest misconception is that out there, there is a structured blank jigsaw waiting for people to put the right piece in the right box, or our post boxes or whichever analogy you like. And that just doesn't exist. I know how my team attributes different intrusions. I know we use the diamond model, I know we have a high threshold for, for crossover of tooling in particular because of tool reuse. And we look for real uniqueness before we bucket things into into particular groups. So we have candidate groups, and then we have ones that we've published; the ones which appear on our website. In fact, that's worth mentioning, we have a Rosetta Stone on our website, which is to the best of our understanding how our groups map to others, I know where the boundaries of my groups are. I know broadly how other organisations who have a broad and deep aperture like ourselves do their attribution. So whether it's Microsoft or Mandiant, or CrowdStrike, then you've got myriad other organisations who perhaps don't have quite as broad an intelligence team as we have, or some of the others I've mentioned, who I think don't have the same thresholds for attribution. And I'm not saying they're guessing, but you know, there will be people who are going, Okay, I see one overlap between one entry in a blog post about on the mythical TA505, for example. And therefore, what I'm seeing is TA505, without looking at hundreds of incident response engagements and saying, Oh, we've seen that being used by dozens of threat groups. So that's, that in itself is not sufficient to say it's this group, it may be a contribution to decision it's group. So, so there is this - mythology is the wrong word. There is, there are real challenges in the entire industry in understanding the complexities of attributing into buckets. And there are some people that do it well, or there are some people that do it `appallingly without the right thresholds for decision making. And that obviously leads to confusion in the landscape. And that confusion can be, can can occur genuinely, even for large organisations with great visibility. There was one instance a couple of years ago, where we did an incident response engagement against a large intergovernmental organisation, their website had been compromised. And interestingly, the bad guys were sending out spear phishes appearing to be from the compromised organisation, directing the recipients back to that contract compromised organisation where the malware would then come down. So you know, that's neat. If you're analysing the email, it's like from the legitimate IGO, you're going to a legitimate IGO. But of course, their web tier has been completely, completely hosed. So we could see everything about how that intrusion had occurred. And we could map that directly to Bronze Union, because that was about the eighth or ninth Bronze Union incident response we've done in the previous 12 months or so. And there were some very, very unique bits of tradecraft that were deployed that were nowhere else ever that we'd seen. And we had one of our competitors, but someone that we talk to, and like, saying, this is an entirely different group that had compromised the defence contractor. And we got with the researchers behind that. And they were utterly convinced that we were wrong. And they were right. But the only arbiter they had was was that intrusion on that defence contractor. And when we showed them what we could see, the phishes going out, the response coming back, the malware being downloaded, that we basically had the entire campaign captured, along with all the details as to how that infrastructure had been established on that IGO, they were like, Oh, you're absolutely right. You know, this is this is Bronze Union and we just didn't see that. And there was nothing wrong with what that organisation was doing. They're highly competent, and know what they're doing but they were looking at it with a very kind of partial aperture. When we gave them the broad aperture, they're like, Okay. So this bucketisation that was a perfect bucketisation is a real challenge and people who are very good, can still get it wrong. So, again, when we published our profiles on the website, I wrote a blog post which was trying to tease out some of the challenges of attribution here and explicitly stating that this is not a perfect world we live in; it's a world of assessment. And you know, there's lots of stuff goes on behind the scenes, which isn't publicly seen. We hosted a group of organisations in our office here in Edinburgh a while back about four weeks ago, which was actually a Rosetta Stone discussion between lots of industry players just to try and tease apart where we draw the boundaries of our different groups and why.

Adam

So we know a lot about the technical methodologies that these various threat groups use. But is there anything that we can infer from this that tells us a bit more about how they operate internally?

Don

That's a really hard question to answer. As I mentioned before, things like ContiLeaks gave us a really good understanding of how one of these large scale criminal gangs operate, you can sometimes infer that there's a change of control or ownership. If we look back at three or four years ago, when Ryuk was the the ransomware family du jour, we had enough visibility of this through our incident response engagements, that we could say that in our experience, every single Ryuk had been preceded by Trickbot, indeed, had been preceded by Trickbot with some particular modules that were downloaded, which was unusual. So we could see that there was a link between Trickbot and Ryuk. But what we could also see was that the dwell time varied. The dwell time varied from in some cases over a year to a handful of days, from the installation of of Trickbot to when, you know, active hands on keyboard activity occurred. So from that, we could infer that there was a different team during the ransomware from doing the initial access. And at that point, you're left asking yourself, okay, is this two groups, or is this one group. And we attributed that to two groups, to Gold Blackburn and Gold Ulrick, if I remember correctly, and increasingly over time, we could sense that there was a much closer coupling between these two organisations, we couldn't, we didn't have any insight to say they're the same group of people. But we could see that they were working in a fairly exclusive relationship. And then, of course, you know, Ryuk kind of retired and Conti appeared, which was obviously the evolution of Ryuk. Later on with ContiLeaks, we can now see that, obviously, Trickbot was operated by the Conti group, which was the evolution of the Ryuk guys. And both were the evolution of Dyre. So we can see, they were actually all all one organisation. But the challenge for us at the start was that we couldn't see that. So we're constantly in a battle trying to infer from breadcrumbs. And where that makes a difference. And where that's a challenge, I think, for the media, is to kind of understand the aperture that different security companies have, in terms of their observations of badness. So with SecureWorks, we have a luxurious aperture, you know, we protect about four and a half thousand enterprise networks 24x7, so we've got in excess of 20 petabytes of data that we can scan across, we do somewhere around 1,400 incident response engagements a year. You know, I think last year, we did 76 full blown post intrusion ransomware engagements. So we've got like waves of data. But importantly, dimensionally different data. And of course, we can invest in in, in my team where we're doing botnet emulation, so we're getting data directly from the botnets as well. And we can combine these dimensionally different lumps of data together to get a very balanced view of what the actors are doing. And you could either say, we're operating as a professional intelligence outfit, or we're making lucky guesses. We don't tend to get things wrong as a result. If on the other hand, I worked in a security company where all we did was, say, email filtering, without incident response, without seeing the hands on keyboard stuff I was talking about earlier, and the traits of the individual individuals that are typing on those keyboards, I can see how some security companies can get things wrong. And it's not because they're bad people. It's not because they're making mistakes. It's because they're operating with a partial aperture. And that's one of the things that makes my job most fun and most exciting is that we have a very balanced aperture, multiple different dimensions. And when we're making assessments we can bring these, bring these things together. If I didn't have that, my job would be much, much, much harder. And that's where you can see people kind of, in a blindfolded way, throwing darts at a dartboard and saying, Oh, look, this was malware, therefore, it's TA505, you know.

Connor

Okay, so, are there any gaps in the picture? What, you know, what can't attribution tell us at the moment?

Don

Well, there's I mean, there are lots of gaps. As I said at the start, most of the security industry is focused on defending networks, defending enterprises. And most of our effort goes on attributing to intrusion sets. So we can attribute to an intent, attribute to sets of tooling, and then protect protect customers. Going beyond that, what what we can't do clearly is, is the aperture we don't have, you know, I don't have access to a massive SigInt engine, I don't have human sources inside large scale e-crime gangs, although we do have a dark web team that are doing some of that. So it's very difficult to, to get to the human angle of it. But at the same time, as I said, at the outset, the benefit there to us other than the emotion of attribution is limited. And the crossover is where if we work with law enforcement, and we tell them what we're seeing, where we're seeing badness impacting enterprises that can help them prioritise. And then law enforcement can work with the intelligence community to identify the bad guys and disrupt them either overtly or covertly. And, you know, in some ways, that's the right way of, of going at it, you don't really want amateurs trying to stray into that territory, you know, that that's an area for people who have the right aperture, and you can be confident, very confident in a way that security companies rarely are, that they've attributed to the right people, and then whether it's paperwork or covert action, that they can do the best that they can to mitigate the threat.

Adam

So on the subject of threat mitigation, then, is attribution, something that CISOs and security professionals need to worry about on kind of on a day to day basis, let's say? Is it something that is actually practically useful as an element of your cybersecurity strategy, if you're kind of an end user customer?

Don

Yeah, that's a good question. And I'm gonna say on a day to day basis, if you extend my attribution to intent model to an attribution to degree of professionalism, I think it's important on a day to day basis that a CISO knows that, you know, the people behind Emotet are a large scale, highly organised criminal organisation that have been going for over a decade and are aren't going to give up; that their intent is criminal money making. But it's not, you know, two guys in hoodies, hunched over a laptop somewhere in Russia. So that kind of day to day operational understanding of, of who the actor is, in a general sense, I think is important for CISOs. I also think it's important for CISOs, who are in industries that may be targeted by hostile state actors, to be able to roughly attribute to, to the intent of nation states, you know, if you are the CISO of, you know, a defence contractor in the United States, or you're the CISO of a large intergovernmental organisation, it is important for your C level to understand that the person that was roaming across your network was, you know, the Chinese government or the Russian government or whatever, it is not at all important to go further than that, and say it's, you know, whatever, of the PLA. So I guess I'm sort of giving you a very fuzzy answer there. But from an operational perspective, I think all CISOs need to have an understanding of the degree of competence and professionalism of the clusters of activity. And some CISOs need to at least have that broad coupling of the intent saying, Well, I understand why, as a pharmaceutical company, I might have bits of the Chinese government on my network looking at my drug designs.

Adam

Well, unfortunately, that is all we've got time for on this week's episode. But our thanks once again to Secureworks' Don Smith, for joining us.

Don

Thanks, guys. It's been a pleasure.

Connor

You can find links to all the topics we've spoken about today in the show notes and even more on our website, itpro.co.uk.

Adam

You can also follow us on social media, as well as subscribe to our daily newsletter.

Connor

And don't forget, subscribe to the IT Pro Podcast wherever you find your podcasts. And if you're enjoying the show, leave us a rating and review.

Adam

We'll be back next week with more insight from the world of it but until then, goodbye.

Connor

Bye.