Between Two Nerds: Why attribution matters - Risky Bulletin

Summary5 min read

Risky Business News: Episode Summary

Episode Title: Between Two Nerds: Why Attribution Matters
Host/Author: risky.biz
Release Date: November 25, 2024

Introduction

In this episode of Risky Business News, hosts Tom Uren and Gruk delve into the intricate topic of attribution in cybersecurity. Sponsored by Stairwell, the discussion sets the stage by congratulating Gruk on his recent academic achievement—a Master's in Cyber War from King's College London. The conversation quickly transitions into the core subject: the significance of attributing cyber attacks to specific actors.

The Importance of Attribution in Cybersecurity

Tom Uren initiates the discussion by questioning the relevance of attribution in cybersecurity, drawing from his background in intelligence. He posits that while intelligence agencies find attribution crucial for understanding adversaries and safeguarding operations, the corporate perspective often dismisses its importance, focusing instead on patching vulnerabilities irrespective of the attacker.

[01:12] Gruk: "Yes, it does. Thank you very much."

Gruk affirms the significance of attribution, emphasizing its intellectual appeal and its role in the broader industry debate. He highlights the duality in the industry: companies selling threat intelligence advocate for attribution, whereas others prioritize addressing vulnerabilities without considering the threat actor behind them.

Threat Intelligence vs. The KEV List

The hosts explore the dichotomy between threat intelligence firms and the more pragmatic approach of prioritizing known exploited vulnerabilities (KEV).

[04:53] Tom Uren: "So that's what CISO is doing nowadays. They're coming out with that known exploited vulnerabilities, and then they have a top 10 or top 15 or something."

Gruk acknowledges the utility of the KEV list, noting that while it covers the majority of common vulnerabilities, threat intelligence adds an additional layer for organizations with more sophisticated security needs. He suggests that the KEV list serves as the foundation, with threat intelligence providing advanced insights for highly mature organizations.

[06:16] Gruk: "I think if you're in the top percentile, if you're really a very mature organization with a very strong security posture, you might find value from knowing that, you know, this particular North Korean group is going after this particular thing that we should worry about."

Attribution in the Context of National Security

The conversation shifts to the role of attribution in geopolitical contexts. Gruk illustrates how, during times of heightened political tension or potential conflict, attribution becomes pivotal for national security assessments and decision-making.

[06:57] Gruk: "And that feels to me like the dynamic that's going on here. Whereas interpersonal, because you like... States are a bit more restrained usually."

He contrasts this with the behavior of states during active conflicts, where the focus shifts from identifying attackers to managing the broader war scenario. Tom adds that states often deny involvement in cyber operations, employing tactics akin to "acting Canadian" to obfuscate their actions.

[10:03] Tom Uren: "It's like, like money in the bank."

Misattribution and Its Consequences

A significant portion of the discussion centers on the challenges of accurate attribution. Tom references a recent (hypothetical) CrowdStrike report that initially attributed telecom sector intrusions to a Chinese threat actor but later revised this to indicate multiple adversaries operating within the same compromised network.

[12:05] Gruk: "Attribution is important, but misattribution is more important."

Gruk underscores the prevalence of misattribution, especially in environments where multiple threat actors exploit the same network. He questions the reliability of attribution when numerous actors, including smaller groups, operate concurrently, leading to potential confusion and erroneous conclusions.

Tom shares anecdotes highlighting the complexities of attribution, such as Russian groups hijacking Iranian malware, illustrating the intricate layers of cyber operations where sophisticated actors exploit less advanced ones.

[15:41] Gruk: "This is not fourth party collection where you would, you would hack someone who's collected all the data and collected from them."

The Value of Attribution Beyond Deterrence

While both hosts agree that attribution has limited efficacy as a deterrent, they acknowledge its broader value in intelligence and operational assessments. Gruk emphasizes that for intelligence agencies, understanding what adversaries know and what they've compromised is vital for assessing potential impacts and taking actionable steps.

[20:10] Gruk: "If you know that a particular telco has been compromised by a particular threat actor, you can do an impact assessment and you can see, all right, they're going to know that the... what does that compromise?"

Tom concurs, suggesting that attribution provides educational value to the broader industry, helping organizations understand potential threats and adjust their security strategies accordingly.

[21:19] Tom Uren: "There's still inherent value in attribution. If you are a state, if you're operating at a level where you need to know what other people know, then yeah, it's just inherently valuable."

Final Thoughts: Navigating the Cyber High Ground

The episode concludes with a metaphorical discussion about the "cyber high ground," wherein telecoms and other critical infrastructure become prime targets due to their valuable data and strategic importance. Gruk humorously encapsulates the essence of cybersecurity competition:

[22:33] Gruk: "You don't have to outrun the bear, you just have to outrun the panda."

Tom adds a touch of humor by rephrasing Gruk's statement, emphasizing the intricate dance of evasion and obfuscation in cyber operations.

[22:40] Tom Uren: "Outrun the liminal panda. Thanks a lot, Craig."

Conclusion

In this insightful episode, Tom Uren and Gruk dissect the multifaceted role of attribution in cybersecurity. They navigate through its practical applications, challenges of misattribution, and its indispensable value in national security and advanced threat intelligence. By juxtaposing corporate and state perspectives, the hosts provide a comprehensive understanding of why attribution remains a pivotal, albeit complex, element in the ever-evolving landscape of cybersecurity.

Notable Quotes:

Tom Uren [01:35]: "Once the enemy knows that there's a secret, the first battle is lost."
Gruk [04:24]: "If we know what people are after and what they want, we can help you prioritize the infinite amount of cybersecurity busywork that you have to float to the top."
Tom Uren [19:15]: "Attribution doesn't actually make that much difference."
Gruk [21:53]: "Just love the term cyber high ground because it's, it's so ridiculous and that there's going to be cohabitation or competition for that high ground."

This episode underscores the delicate balance between the need for precise threat attribution and the practicalities of cybersecurity management, offering listeners a nuanced perspective on why attribution continues to matter in both corporate and national arenas.

Loading summary

Transcript98 lines

[00:04]
A
Hello, everyone, this is Tom Uren. I'm here with the Gruck. G'day, Gruk. How are you?
[00:09]
B
G'day, Tom. I'm fine. And yourself?
[00:11]
A
I'm well. This week's Between Two Nerds is brought to you by Stairwell and out on the channel this week, I have a good conversation with Stairwell's Mike Wireczyk about appealing to both IT teams and security teams. So it's all about the politics of getting things done, which is the sort of stuff that we like to talk about on this podcast. So before we get going, Gruk, I just wanted to say congratulations. You've now got a. Is it a Masters in. Yeah, a Master's in Cyber War.
[00:45]
B
Yes, that is literally correct.
[00:47]
A
From King's College London, right?
[00:49]
B
Yeah. The War Studies department. Yes. I've got a Master's in International Relations and Contemporary War.
[00:56]
A
So there you go again. Congratulations. Well done.
[00:59]
B
Thank you.
[01:00]
A
So, Gruk, I've been wondering whether attribution matters at all. And spoiler alert, that's what we're going to talk about today.
[01:12]
B
Yes, it does. Thank you very much.
[01:16]
A
And so my background was in intelligence, and for us, or for them, attribution does matter. And there's sort of two sides to that. There's the. We don't want people to know what we're up to, and that's because if they know, they could take countermeasures.
[01:36]
B
Right. Or so that's what I mean. I mean, it's the way it's sometimes phrased is once the enemy knows that there's a secret, the first battle is lost.
[01:43]
A
Right. I think that captures it well. And then the flip side of that is intelligence agencies, or at least the ones I was familiar with, want to know what other people are up to, and they want to know who's doing what. But when I started interacting with people from the real world, some people would challenge me on that. They would say, look, from the perspective of a company, it makes no difference if someone is targeting our cybersecurity weak spots, firewalls or whatever. We just need to fix those. It doesn't matter who's doing the targeting. So attribution is pointless.
[02:21]
B
So you ran away from the rules back to podcasting?
[02:27]
A
Well, the between two nerds consensus view is that attribution is fascinating because it's just interesting.
[02:34]
B
Attributor matters because we like it and it's interesting.
[02:37]
A
That's right.
[02:37]
B
It is maybe not the most practical answer, but it's absolutely true for at least two people out there. So it's been an industry discussion, in a way, because you do have these companies that are literally selling attribution. Right. As sort of their core product. It's.
[02:54]
A
It's threat intelligence.
[02:56]
B
Yeah, threat. And it's like, we will tell you what's going on and who's doing it. Whereas a lot of people are just like, maybe all we need to know is that we need to patch our edge devices because the edge devices are being hit a lot.
[03:08]
A
Yeah, yeah. So the broader dynamic here is that you've got both companies who are selling threat intelligence who say, yes, understanding what's going on is very important. You've got at least some companies who say it's totally irrelevant. But you also seem to have a similar dynamic in countries. Right. So Western intelligence thinks attributing other countries and protecting our own secrets is very important, or protecting our own operations is very important. And then yet there's other countries who behave as if, well, it doesn't matter at all. Whatever, we get called out and we just deny it and move on.
[03:46]
B
Yeah. Like, what are you going to do?
[03:48]
A
So from the threat intelligence point of view, I asked someone about this to get their rationale when they were in that industry selling the product, and their justification was, if we know what people are after and what they want, we can help you prioritize the infinite amount of cybersecurity busywork that you have to float to the top, the stuff that will actually make a difference, because, I don't know, you're in a particular industry and the North Koreans are targeting this particular technique right now. So that was their justification.
[04:24]
B
Right. Just the other day, and I forget who tweeted it, but it was someone. Someone pointed out that basically, if we just take the top 10 vulnerabilities that are being exploited, which we sort of have, it's obviously derived from threat intelligence, but it's a completely different approach. Rather than saying these are the threat actors going after these things, it's just saying all of the threat actors in aggregate, targeted these things most frequently. So if you just have that list and you prioritize that list of things being targeted.
[04:53]
A
Right. Yeah, yeah. So that's what CISO is doing nowadays. They're coming out with that known exploited vulnerabilities, and then they have a top 10 or top 15 or something. So you reckon just chuck away that entire industry and go to the Kev list?
[05:10]
B
It's not my problem.
[05:11]
A
Making friends.
[05:13]
B
I think there's some relevance to it. I think that it's not completely wrong.
[05:18]
A
Which part is not completely wrong?
[05:20]
B
Well, it was that if you focus on these sort of top 10, I think you're doing the 20% of the work that covers 80% of the cases.
[05:30]
A
Right. Because each company's unique snowflake, we therefore need to pay for threat intelligence.
[05:36]
B
Well, not everyone's the same, but most people are. Yeah. And I think what it comes down to is that when you need to prioritize what you have to patch, if you still have any of these top 10 vulnerabilities unpatched, you're doing it wrong. If you're worried about like making sure that you're getting the latest rolling updates to Windows, but you have log 4J vulnerable edge devices, you've messed up somewhere in your prioritization tracklist somewhere.
[06:08]
A
So the Kevlist is the basics and then threat intelligence is the super duper added on top.
[06:17]
B
Right. I think that if you're in the top percentile, if you're really a very mature organization with a very strong security posture, you might find value from knowing that, you know, this particular North Korean group is going after this particular thing that we should worry about. I think that if you're in that tier of super mature, very strong companies, you're probably not going to be worrying about that many things. It's at that point that you have to worry about, know, targeted nation state operations as opposed to like random ransomware.
[06:57]
A
Right.
[06:58]
B
So I think you might be beyond attribution. Like, you might be at a point where it just becomes interesting, you know, what's happening to the plebs today. So I think that another side of attribution is that to a degree, the amount that you care about attribution is a reflection of the political context that it's happening in. So, for example, if you're in a very, very tense standoff with another country on the brink of war and the lights go out at that point, attribution matters because you need to know, was that a deliberate targeted act by this country that we're in a tense standoff with? Was it someone else trying to trigger something or was it random? Like, at that point, knowing what happened becomes very important. Whereas once the war has kicked off, when the lights go out, it doesn't really matter who was behind it. Because you're in a war, things are happening where it's, it's just, it's not such a big deal that they hacked you as opposed to dropped a bomb or they, they hacked you to do something like. That's just, it's not a big escalation in any way. Right? Like it doesn't change the political context.
[08:17]
A
Yeah. So it seems that in non war times, times of maybe competition or.
[08:24]
B
Right. As opposed to conflict.
[08:26]
A
Yes. There's a sort of assumption that states don't like being called out for hacking operations. Now that assumption seems to be true that like they don't like it, but it doesn't seem to be a very strong dislike. Like they don't hate it enough to stop doing it. Like they still are willing to wear the risk.
[08:52]
B
Yeah, yeah. It's a bit like a blackmail situation where like it only works if the other person feels shame. Right.
[09:01]
A
Yeah, but I think they feel some sort of shame because the they don't.
[09:05]
B
Like it and they deny it. Right.
[09:07]
A
But that's as far as it goes.
[09:09]
B
Right. I mean sometimes they'll go so far as to like you've seen it happen with China where they all. They'll find counter examples. Right. So after there's been like a large number of U.S. reports about, you know, like the Chinese are doing this, they're doing that, you know, we're indicting 10 of them for like doing this thing. Here's a whole bunch of stuff then I think it was Kihu360 came out with a report saying in 2010 an NSA implant was found in China. So you know, it goes both ways, man.
[09:43]
A
Yeah. There was one I was reading about today where I think one of the Chinese certs was claiming that Vault Typhoon was a ransomware group because there were some IP addresses.
[09:54]
B
Yeah. They were pre positioning their ransomware for use at a future date where they were suddenly like, okay, now we need money.
[10:04]
A
It's like, like money in the bank.
[10:11]
B
It stretches credulity, some of the stuff that they try and get away with.
[10:15]
A
But I mean it seems to work for them. Right, Right.
[10:18]
B
If I say oh my God, you did that. And you say no, you did it and there's only the two of us. I mean like it doesn't get us anywhere. Right. Unless you go, yeah, I'm sorry, I shouldn't have done that. What have I achieved?
[10:32]
A
Yeah. So I think in real interpersonal conflict that either escalates to fisticuffs or it's not worth it. And it seems like in the state arena it doesn't escalate because it's not worth it.
[10:45]
B
Right, right.
[10:46]
A
And that feels to me like the dynamic that's going on here. Whereas interpersonal, because you like.
[10:52]
B
Right, yeah.
[10:56]
A
States are a bit more restrained usually.
[10:58]
B
Yeah. It also plays in a little bit with the thing that part of the old idea about COVID action was like, you know, if you get caught, we will deny your existence. You know.
[11:07]
A
That's right. That sounds very Mission Impossible.
[11:09]
B
Right? Whereas these days it's a lot more of a like, if you get caught, just pretend you're like Belarusian for a while and then fool will get you out. You know, like Act Canadian. That reminds me of. There's some hacker friends of mine that were in Japan. This was many, many years ago. So they were in Japan and they were drunk and they went into a like a 711 or something and they, they accidentally knocked over a stand and they realized that this was a problem and so they started shouting usa, usa. And then ran out as covered because now the Japanese would be looking for some Americans rather than some Canadians.
[12:00]
A
So attribution is important. That's what you're telling me. Or misattribution.
[12:05]
B
Attribution is important, but misattribution is more important. Oh, speaking of which, there is a CrowdStrike report that just came out yesterday. It was absolutely hilarious. They've been tracking this group of hackers that have been going after telcos and they identified it as a Chinese threat actor. So like the first report I read about them was in, I think it was 2020, 2021 around then, and they've now revised that report to say so they've got this line which is in 2021. CrowdStrike attributed multiple telecommunications sector intrusions to the Light Basin Activity Cluster, which has consistently targeted telecom entities since at least 2016 using various custom tools. An extensive review of this intrusion activity has determined some of the events documented are attributable to a separate adversary now tracked as Liminal Panda. This association resulted because multiple threat actors were conducting malicious activity on a highly contested compromised network.
[13:16]
A
So I find multiple things about that funny. First of all, basically what it's describing is a telco somewhere in the world where there's multiple threat actors.
[13:29]
B
Like, do you know how little that narrows it down?
[13:34]
A
Well, one reason I find it funny is that there's. What are they calling it? Salt Typhoon? Tom from the future here. Salt Typhoon is the name given to a Chinese group that is compromising US telcos. And it appears that they're looking for a political intelligence and have targeted both the Trump and the Democratic campaigns in the lead up to the election. So it's not clear to me that what CrowdStrike is talking about in this post is the same as Salt Typhoon. But it's possible, right?
[14:06]
B
Right.
[14:07]
A
Panda is the CrowdStrike nomenclature. China related threat actors and so you know, what they're describing is a picture of a world where telcos are just routinely owned by multiple threat actors. And yet in the US there's this huge fuss about all their telcos being owned. Like surprise.
[14:31]
B
I like how they describe this telco as a highly contested compromised environment. So a friend of mine was telling me about when he worked at a. I'm going to have to be careful here. So he worked at a very large company and they did an acquisition of a company in a defense sector adjacent thing. And when they were doing this sort of the network integration, they found that there were three separate apt groups all fighting for domination for the network. Like they were actually like they were uninstalling each other's stuff and they were literally fighting it out for control. And the host company knew nothing about it, of course. But I think that that's not uncommon.
[15:21]
A
Well, a couple of examples spring to mind. I think the Russians have at least a couple of times hijacked Iranians. Yeah. Yeah. So they've, I guess that's not competition, that's cohabitation or symbiosis where you're taking advantage of someone who's already there.
[15:41]
B
Right. This is not fourth party collection where you would, you would hack someone who's collected all the data and collected from them. This is where you're reusing their existing hack.
[15:51]
A
Yeah, yeah. The Iranian malware becomes a puppet. And so my kind of take on that was that the more sophisticated actor can take advantage of the less because there's a lot of work do that and, and you probably have to care a bit more maybe about attribution than the other white party does.
[16:09]
B
Or it might actually just be easier to hack them than to hack the companies that they've gotten into. Right, right.
[16:16]
A
Yeah.
[16:16]
B
Going after a couple of C2 boxes being run by Iranian hackers is probably a very, very easy job compared to their end target, which you might not want to, you know, re compromise if someone's already in there and hasn't been detected. If it ain't broke, don't fix it. Yeah, right.
[16:36]
A
The other thing I find funny is just that competition and that there's, and this totally makes sense is that there's particular places that are this cyber high ground where everyone wants to occupy that space because it's the popular kids table.
[16:54]
B
At the high school cafeteria. Right. Like if you're a telco, you have the juicy data that everyone wants.
[17:01]
A
Yeah.
[17:01]
B
And if you're in a, an interesting country. Yeah. Like an Iranian telco is probably compromised by Multiple different groups, because it's very, very interesting. Whereas a Bangladesh telco is probably not a massively high priority to that many people. So you're bound to find places where there's just a large number of different countries who want to know what's going on all in the same places, because there's not that many different telcos. And when you're in a telco, there's only so many boxes you can be on before you start sort of stepping on toes. Right. You need to get access to, like, the call Data records, the CDRs, everyone wants those, so that everyone has to be after them. That's the nature of the piece. Similarly, if you're in the Prime Minister's office, how many email servers are there?
[17:49]
A
Right. Yeah, yeah.
[17:50]
B
I kind of wonder how often this happens.
[17:54]
A
So when you say this, you mean the tracks get muddied because there's multiple so many people?
[18:02]
B
Particularly, I think, when there's smaller threat actors mixed in with the larger ones. Right. In this case, they're very familiar already with the Chinese threat actors, so that they will recognize that tooling and those behaviors. And if they find more tools and more activity, you're just going to assume that it's a subset of this larger group that you're already tracking, which is what clearly happened here. And I think that. How often does that happen? So even if we talk about attribution, which we find very, very interesting, how much of it is actually misattribution, and does that change the value of the attribution, knowing that some of it is just faulty?
[18:47]
A
I mean, what I have heard in the past is that part of the reason in the past that China did not care about attribution was that they simply believed it was impossible.
[18:59]
B
Right.
[19:00]
A
And so when you believe that, you don't take precautions against it, because why would you. It's impossible.
[19:07]
B
Right.
[19:07]
A
I. I think they've obviously learned since then, but I think the lesson they've learned is that attribution doesn't actually make that much difference.
[19:15]
B
Like it's not impossible, but it doesn't matter. That's right.
[19:23]
A
The examples of hijacking of other threat actors, it's Turla, the Russian, I think that's svr. They've hijacked Iranian malware. And the SBIR is meant to be one of the more sophisticated groups going around. So, I mean, let's go back to the intelligence agency conception that attribution is important.
[19:46]
B
Right. Okay.
[19:48]
A
Now, it doesn't seem to be all that important for deterring other countries or Maybe I should say, when I say all that important, what I should say is not at all important deterring other countries. I still argue that it has a value because it's got an educational value for the broader industry.
[20:11]
B
Yeah, I agree with you, but I think there's two values, actually. Because if we're looking at this purely from a deterrence point of view. Yeah. It doesn't work particularly well. Deterrence that relies on name and shame is deterrence that fails. We've clearly seen that. But if we go all the way back to why intelligence agencies care about attribution, it's not about deterrence. They want to know what the other side knows. And part of that is knowing what they've compromised, like what they've had access to. So if you know that a particular telco has been compromised by a particular threat actor, you can do an impact assessment and you can see, all right, they're going to know that the, you know, because our president uses that telco, they're going to know all of his travels for the last six months since they had access to net, they'll have. Where his cell phone has been. What does that compromise? They'll have had access to these SMS things. What does that compromise? Right. So knowing that information is still valuable.
[21:17]
A
Yeah. That's actionable because you can.
[21:18]
B
Right.
[21:19]
A
Like you can imagine scenarios where you would change your itinerary or whatever.
[21:24]
B
Right. Where you would suddenly see, okay, like these things have been compromised. What do we need to change to address that? And then what can we exploit with them believing this to still be true? There's still inherent value in attribution. If you are a state, if you're operating at a level where you need to know what other people know, then yeah, it's just inherently valuable. I'm not sure that that applies to companies.
[21:53]
A
Yep. So I guess that means going back to the sophistication thing. If you're a sophisticated actor, it absolutely makes sense. Like we agree that there's. I love, just love the term cyber high ground because it's, it's so ridiculous and that there's going to be cohabitation or competition for that high ground. And so if you're a sophisticated actor, it absolutely makes sense to muddy the waters, hijack other actors that are there, and make it so that you're, you're hidden either in the noise or you're actively obfuscating what you're doing.
[22:33]
B
Right. It's, I mean, how would I put it? You don't have to outrun the bear, you just have to outrun the panda.
[22:41]
A
Outrun the liminal panda. Thanks a lot, Craig.
[22:47]
B
Thanks a lot. Tomorrow.