Wave your false flags!

 Download the full report (PDF)

As a new VirusBulletin is upon us, it’s once again time to deep dive into interesting topics in anti-malware research. This time around, we’ve chosen to focus on attribution in APT research, its methods and complications, and how intermediate-to-advanced attackers are already manipulating attribution indicators in an attempt to mislead researchers and squander limited incident response resources. False flags and deception tactics have always been discussed as possibilities in this space, but we wanted to put out a wealth of examples to advance the conversation. Our hope is that we can further the dialogue regarding attribution to involve more nuanced and daunting questions that have yet to be conclusively addressed.

When reading some of the examples, keep in mind that this was written back in February to submit to the VirusBulletin call for papers. At the time, deception techniques were a topic discussed in private between researchers, but never publicly substantiated. Since then, events over the summer have made this topic commonplace to the infosec community, if still a matter of contention and skepticism. The paper is extensive (but not exhaustive) and we hope that those of you interested in the subject will take some time to go through the reasoning and examples. The following are some takeaways we hope will pique your interest and get a dialogue going regarding the nuances of attribution as it’s currently being done:

There’s nothing straightforward about ‘whodunnit’

From the perspective of threat intelligence producers, there exist complications regarding attribution and its practical purpose. As any honest anti-malware company should admit, no institution has complete or perfect visibility into the activities of any threat actor. Different companies see different fragments; different types of service providers compliment that visibility with other types of data. This is a research space rewarded by cooperation and data exchanges. As such, when attempting to describe the activities of a threat actor, it’s difficult to suggest that a single threat intelligence product can stand as the exhaustive final chapter on any of the threat actors we investigate. Much less, provide a definitive picture of their identity, activities, and resources.

The true value of a threat intelligence product is its actionable potential, its ability to help detect and mitigate attacks, to provide clear avenues for proactive defense and improved defensive posture against a persistent and shadowy adversary, and to provide understanding to institutions and individuals outmatched and outwitted by the topdogs of the cyber espionage space. And even then, we have to consider that when it comes to wide dissemination of this information for the benefit of the public, it’s not just victims that are reading threat intelligence products. As our paper sets out to demonstrate, attackers too are keenly consuming threat intelligence research, learning from researcher methods as well as other APT groups and incorporating that information to better their own operations.

What can attribution do for you?

Threat Intelligence has come a long way in the last five years or so, and with that, more and more attribution is being done publicly by companies selling this as a product. Before that, attribution was only really done within governments and kept private or classified. These days, journalists and commentators are after the ‘sexy’ part of the story and are heavily focused on the “who” and not the “why”. While we are not arguing for or against companies performing attribution and publicly sharing their discoveries, we do pose some questions around how deep attribution really needs to go based on the role of the organization defended and its ability to take action. For governments, the most fidelity is justifiably needed, especially when the outcome of the attribution results in diplomatic sanctions, offensive operations, or demarches. But for a private company consuming threat intelligence is that level of attribution really needed to protect that organization against these attacks?

We hope the paper proves thought-provoking to threat intelligence producers and consumers alike, aligning needs and expectations, and preparing the infosec community for increasingly deceptive and manipulative interactions with our adversaries.