> “It’s a big myth that there are thousands of [signatures] for any particular groups,” he notes. “These [TerritorialDispute] guys really focus on finding the two or three telltale signs that could lock you in [on an APT].”
I have a hard time accepting that. Sure,if it was a financially motivated actor or common malware a few "high quality" indicators are all you need. But APT actors know they are being tracked by their adversary using these same indicators. It isn't difficult or costly for them to avoid reuse of infrastructure and tooling. The few attribtions I looked at in detail require a more speculative and somewhat imprecise correlation by humans as opposed to clear and static indicators.
Please correct my ignorance if I am wrong.
EDIT: Security companies do use "thousands" of signatures and indicators to find events that might possibly be associates with an APT group. Why is the NSA special? That's what I can't accept. As good as the NSA is,multi billion dollar security companies are not far behind (I would say some are even ahead when it comes to defensive security)
I think people, especially on HN, like to think of these groups as far more professional than they are. Just look at all the talk of “tradecraft” and “threat actors”.
Empirically, it appears that hackers are simply people. These groups seem to have maybe just one or a handful of talented individuals at their core, and they all have habits they like to return to.
After meeting various nsa and US cyber security heads at RSA and having dinner with them and hearing their “war stories” about shit they have done, sure they are people, but IMO the people I met were straight up psychopaths.
This is my opinion of the type-a “hacker-types” that palantir hires...
(Had dinner with the head of US cyber-security and his minions and military contractors (This was when I was with Lockheed))
> Empirically, it appears that hackers are simply people. These groups seem to have maybe just one or a handful of talented individuals at their core, and they all have habits they like to return to.
Sure,that's why Indicators of compromise exist to begin with. What I don't get is this notion of a "high quality" indicator. You would normally match on all indicators you have.
I mean,why match with a dozen indicators knowing full well the attacker might reuse any one of the hundreds of indicators that exist? All the big name security companies match against all known indicators for a group. What practical benefit is there to limiting yourself to a few indicators,even if they are top notch indicators?
APT groups have a set of tools, techniques, and processes (ttps) that they use. They evolve over time, but generally consistent per APT group. It's maybe dozens of methods and signature moves that teams use to attribute the actor. Malware packages and so on leak data, c2 servers might get reused (or the way the c2 was obtained might inform something).
From the attacker point of view, you don't change your methods if they are working.
However due to this, you are right: it's incredibly messy and attribution is mostly bullshit. If you notice, it mostly warns the operator to seek help, so others can try to confirm.
It’s also a game of burning unused methods when it’s irrelevant to stay 100% black. Hitting something that the NSA truly wants none to trace back to them works better if most of their other attacks work with the same combination of tools.
>> APT groups have a set of tools, techniques, and processes (ttps) that they use.
This is interesting considering recent high profile attacks (The DNC, OPM, Sony) have pointed to state actors, but many in the InfoSec community have come back and said many of the tools have been out in the Wild for years. It means almost any hacking team could be using them, indicating that many of the tools are common amongst these groups so pinning a hack to a specific group because of the tools they used isn't a reliable way to track them.
Not my opinion, just something that would seem to contradict the idea that a set of tools indicates who the actors are.
It doesn't contradict anything, it just lowers the probability of being right a hair (For the extreme few APTs who would bother with such trivialities), hence the "attribution is bullshit" -- you can't ever know.
However, that does NOT contradict the simple fact that various APT groups do absolutely use the same tried and true TTPs get get in, gain foothold, and persist. They evolve them over time, but you'd be foolish to think they entirely wing it each time, using a chaotic set of techniques. They establish patterns, and you can absolutely build a signature off of that.
I suppose considering the cost (time, money, effort) it would have to be used somewhat carefully, but I would expect it to improve offensive capabilities to be able to make attacks that don't look like you. But agreed that it would have to be rationed out, in order to not lose ground in redoing things.
Except history shows that is not the case...APT actors make tons of mistakes and straight up re-use code and infrastructure on a regular basis.
There is the mythical claim that "someone is doing it right" but at the end of the day, these are just people. They make mistakes and are just doing a job.
A sophisticate team would probably use a mix of public tools, stolen private tools, and unique internally developed tools.
Public tools and stolen private tools are worse than useless for attribution because they are specifically used to avoid attribution or to cause false attribution.
Accurate attribution, if possible, can only be based on unique internally developed tools, which means you have to have the knowledge of the overall environment to see that some tool is unique and being deployed for the first time, and then track the deployment of that tool across other targets, and correlate it with the deployment of other unique tools.
>Public tools and stolen private tools are worse than useless for attribution because they are specifically used to avoid attribution or to cause false attribution.
Not necessarily. Given enough public tools, combinations of usage can be unique.
Any tool can be obfuscated and mutilated to oblivion...there are brilliant tools around these days that do wonders at the source code level.
false attribution shouldn't work. nobody blindly believes binary signatures like we did in the 20th century.
accurate attribution can only be based on the whole picture, with a focus on technique. i.e. types of exploits used, styles of shellcode used, c2 key exchange used, intel types gathered, etc. etc.
the arms race is real, information doesn't vanish, nothing is simple.
I think they're only looking for 2-5 IOC because they're checking the same machine they've broken into for operations.
Maybe they're looking for tools the other groups use to establish initial beachheads and not tools that are used for exploitation, info gathering or other more involved tasks.
I have a hard time accepting that. Sure,if it was a financially motivated actor or common malware a few "high quality" indicators are all you need. But APT actors know they are being tracked by their adversary using these same indicators. It isn't difficult or costly for them to avoid reuse of infrastructure and tooling. The few attribtions I looked at in detail require a more speculative and somewhat imprecise correlation by humans as opposed to clear and static indicators.
Please correct my ignorance if I am wrong.
EDIT: Security companies do use "thousands" of signatures and indicators to find events that might possibly be associates with an APT group. Why is the NSA special? That's what I can't accept. As good as the NSA is,multi billion dollar security companies are not far behind (I would say some are even ahead when it comes to defensive security)