Attribution fatigue is real. We are 20 years past Moonlight Maze, 15 years past Titan Rain, and a decade past the formation of NATO's Cooperative Cyber Defence Centre in Estonia. These recent ten years have seen the public dumping of stolen nation-state toolchains, a worm renaissance, and increasingly adventurous forays by states far beyond the limits of espionage, into active operations. Small wonder we're tired… but what have we learned about technical and contextual analysis as nation-state threats roll into their third decade? What are we missing? Does any of this even matter?
Network defenders and threat intelligence analysts tend to be sharply divided on this question of nation-state threat attribution. Reasonable network defenders may decide 'How?' is all that matters (observables || GTFO); reasonable threat intel analysts may feel similarly about 'Who?' (APT1 || GTFO). This talk addresses each of these reasonable extremes, and further advocates for the neglected value of 'Why?' in surfacing adversary requirements, targeting, and constraints. We will look at how nation-states have used malware as a form of geopolitical signalling, the myth of vendor neutrality in the nation-state threat ecosystem, and opportunistic distortion of technical analysis.
Words and PE headers are hard, nation-states are weird, but more perfect nation-state threat analysis is possible within – and beyond – the binary.