Attribution is big business these days…but can we trust it? Is it more than a game of “fingerpointing?” How good are we at spotting false-flag operations? Are advanced adversaries successfully defeating threat intel feeds through disinformation campaigns? In this talk, we will demonstrate how attackers operate to counter defensive information sharing operations through a real-world demo of a successful disinformation campaign. Using existing threat intel data, we will convince analysts to misattribute our activities to another threat actor. To do this we will select our “copy-cat” adversary from existing threat intel data feeds, analyze their tradecraft, and mimic their modus operandi in the real-world. We will taint several threat intel feeds in planting the seeds for our tactful misattribution tree, and we will then launch an operation against a real-world target in order to demonstrate that analysts using our victim feeds will incorrectly misattribute our operations as the mimicked actor.
Ultimately, this talk calls into question the efficacy of threat intel solutions for attribution purposes — should we even bother with this data, or is it ultimately a “rat race?”
Mark Kuhr (@MarkKuhr) co-founded Synack after focusing over nine years on Cyber Security in Academia and Defense industries. Most recently, at the National Security Agency (NSA), Mark worked in roles that include Technical Director, Computer Network Operations Operator, Network Analyst, and Computer Scientist. Dr. Kuhr received a Ph.D. in Computer Science from Auburn University under a DoD/NSA-sponsored fellowship. He has published several papers on enterprise cyber security and performed research under DoD contracts related to information security, network analysis, and jam-resistant network communication protocols.