Attribution is big business these days…but can we trust it? Is it more than a game of “fingerpointing?” How good are we at spotting false-flag operations? Are advanced adversaries successfully defeating threat intel feeds through disinformation campaigns? In this talk, we will demonstrate how attackers operate to counter defensive information sharing operations through a real-world demo of a successful disinformation campaign. Using existing threat intel data, we will convince analysts to misattribute our activities to another threat actor. To do this we will select our “copy-cat” adversary from existing threat intel data feeds, analyze their tradecraft, and mimic their modus operandi in the real-world. We will taint several threat intel feeds in planting the seeds for our tactful misattribution tree, and we will then launch an operation against a real-world target in order to demonstrate that analysts using our victim feeds will incorrectly misattribute our operations as the mimicked actor.
Ultimately, this talk calls into question the efficacy of threat intel solutions for attribution purposes — should we even bother with this data, or is it ultimately a “rat race?”