Risky Business News: Episode Summary

Episode Title: Between Two Nerds: Why Attribution Matters
Host/Author: risky.biz
Release Date: November 25, 2024

Introduction

In this episode of Risky Business News, hosts Tom Uren and Gruk delve into the intricate topic of attribution in cybersecurity. Sponsored by Stairwell, the discussion sets the stage by congratulating Gruk on his recent academic achievement—a Master's in Cyber War from King's College London. The conversation quickly transitions into the core subject: the significance of attributing cyber attacks to specific actors.

The Importance of Attribution in Cybersecurity

Tom Uren initiates the discussion by questioning the relevance of attribution in cybersecurity, drawing from his background in intelligence. He posits that while intelligence agencies find attribution crucial for understanding adversaries and safeguarding operations, the corporate perspective often dismisses its importance, focusing instead on patching vulnerabilities irrespective of the attacker.

[01:12] Gruk: "Yes, it does. Thank you very much."

Gruk affirms the significance of attribution, emphasizing its intellectual appeal and its role in the broader industry debate. He highlights the duality in the industry: companies selling threat intelligence advocate for attribution, whereas others prioritize addressing vulnerabilities without considering the threat actor behind them.

Threat Intelligence vs. The KEV List

The hosts explore the dichotomy between threat intelligence firms and the more pragmatic approach of prioritizing known exploited vulnerabilities (KEV).

[04:53] Tom Uren: "So that's what CISO is doing nowadays. They're coming out with that known exploited vulnerabilities, and then they have a top 10 or top 15 or something."

Gruk acknowledges the utility of the KEV list, noting that while it covers the majority of common vulnerabilities, threat intelligence adds an additional layer for organizations with more sophisticated security needs. He suggests that the KEV list serves as the foundation, with threat intelligence providing advanced insights for highly mature organizations.

[06:16] Gruk: "I think if you're in the top percentile, if you're really a very mature organization with a very strong security posture, you might find value from knowing that, you know, this particular North Korean group is going after this particular thing that we should worry about."

Attribution in the Context of National Security

The conversation shifts to the role of attribution in geopolitical contexts. Gruk illustrates how, during times of heightened political tension or potential conflict, attribution becomes pivotal for national security assessments and decision-making.

[06:57] Gruk: "And that feels to me like the dynamic that's going on here. Whereas interpersonal, because you like... States are a bit more restrained usually."

He contrasts this with the behavior of states during active conflicts, where the focus shifts from identifying attackers to managing the broader war scenario. Tom adds that states often deny involvement in cyber operations, employing tactics akin to "acting Canadian" to obfuscate their actions.

[10:03] Tom Uren: "It's like, like money in the bank."

Misattribution and Its Consequences

A significant portion of the discussion centers on the challenges of accurate attribution. Tom references a recent (hypothetical) CrowdStrike report that initially attributed telecom sector intrusions to a Chinese threat actor but later revised this to indicate multiple adversaries operating within the same compromised network.

[12:05] Gruk: "Attribution is important, but misattribution is more important."

Gruk underscores the prevalence of misattribution, especially in environments where multiple threat actors exploit the same network. He questions the reliability of attribution when numerous actors, including smaller groups, operate concurrently, leading to potential confusion and erroneous conclusions.

Tom shares anecdotes highlighting the complexities of attribution, such as Russian groups hijacking Iranian malware, illustrating the intricate layers of cyber operations where sophisticated actors exploit less advanced ones.

[15:41] Gruk: "This is not fourth party collection where you would, you would hack someone who's collected all the data and collected from them."

The Value of Attribution Beyond Deterrence

While both hosts agree that attribution has limited efficacy as a deterrent, they acknowledge its broader value in intelligence and operational assessments. Gruk emphasizes that for intelligence agencies, understanding what adversaries know and what they've compromised is vital for assessing potential impacts and taking actionable steps.

[20:10] Gruk: "If you know that a particular telco has been compromised by a particular threat actor, you can do an impact assessment and you can see, all right, they're going to know that the... what does that compromise?"

Tom concurs, suggesting that attribution provides educational value to the broader industry, helping organizations understand potential threats and adjust their security strategies accordingly.

[21:19] Tom Uren: "There's still inherent value in attribution. If you are a state, if you're operating at a level where you need to know what other people know, then yeah, it's just inherently valuable."

Final Thoughts: Navigating the Cyber High Ground

The episode concludes with a metaphorical discussion about the "cyber high ground," wherein telecoms and other critical infrastructure become prime targets due to their valuable data and strategic importance. Gruk humorously encapsulates the essence of cybersecurity competition:

[22:33] Gruk: "You don't have to outrun the bear, you just have to outrun the panda."

Tom adds a touch of humor by rephrasing Gruk's statement, emphasizing the intricate dance of evasion and obfuscation in cyber operations.

[22:40] Tom Uren: "Outrun the liminal panda. Thanks a lot, Craig."

Conclusion

In this insightful episode, Tom Uren and Gruk dissect the multifaceted role of attribution in cybersecurity. They navigate through its practical applications, challenges of misattribution, and its indispensable value in national security and advanced threat intelligence. By juxtaposing corporate and state perspectives, the hosts provide a comprehensive understanding of why attribution remains a pivotal, albeit complex, element in the ever-evolving landscape of cybersecurity.

Notable Quotes:

• Tom Uren [01:35]: "Once the enemy knows that there's a secret, the first battle is lost."

• Gruk [04:24]: "If we know what people are after and what they want, we can help you prioritize the infinite amount of cybersecurity busywork that you have to float to the top."

• Tom Uren [19:15]: "Attribution doesn't actually make that much difference."

• Gruk [21:53]: "Just love the term cyber high ground because it's, it's so ridiculous and that there's going to be cohabitation or competition for that high ground."

This episode underscores the delicate balance between the need for precise threat attribution and the practicalities of cybersecurity management, offering listeners a nuanced perspective on why attribution continues to matter in both corporate and national arenas.