Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Transcription

00:04
So let's talk about the
00:06
human elements of attribution.
00:08
We have a nice quote here from 1991 fiscal Taylor detail ing some aspects of attribution. Theory. As we can see, this touches on the correlation and causation examples that I gave a little bit earlier in this module. One of the things to think about for attribution
00:26
is it's a sort of a two edged sword.
00:29
It's important to
00:31
understand who did
00:33
some action or which group was responsible. Which nation state was responsible, for instance,
00:39
is your all
00:41
pieces of the puzzle that that do need to be known because it helps to
00:46
inform current activities and future activities? And so the problem is that
00:51
because of a requirement of public disclosure
00:56
in certain cases,
00:58
this could inadvertently release reveals some some information sources and methods are frequently mentioned.
01:07
And
01:07
there's also the chance that publicly disclosing
01:11
who is responsible for a particular attack or incident
01:18
might be what the attacker actually wants. They want some notoriety. They want some publicity.
01:23
They might try to claim
01:26
responsibility for something that's happened because it helps to promote their cause,
01:30
especially hacktivists and cyber terrorists. They have there
01:36
their own reasons for wanting to
01:38
remain somewhat in the spotlight is leased their organization
01:42
maybe not themselves personally, but they might want to promote the organization.
01:48
Thean on Imus Group Shadow brokers are a couple of examples of
01:53
of entities that
01:55
that usually try to claim
01:57
responsibility
01:59
because they want you to know what their power is, what they can do, what they're capable of,
02:02
much like regular terrorists might do in the real world. Cyber terrorists are one thing, but if you've got Isis or Al Qaeda or something
02:13
and they are, they launch an attack, usually they want to claim responsibility for it so that it helps again to promote their cause.
02:21
My might also help them to get people to join their organization just like it would for
02:27
hackers who are trying to claim responsibility. It could be a recruiting tool.
02:31
This this type of attribution really any type of attribution does have some problems, though
02:38
there are so many ways to get it wrong that it's risky in many cases to announce anything at all. Maybe there is a certainty factor which could alleviate
02:47
getting it wrong.
02:50
You know, the persons who are making the announcement might say, We're not sure we have a
02:53
you know, 70% confidence that this is the correct information. For instance, now doing this on a campaign basis,
03:00
as we talked about in earlier sections of this course
03:06
campaign, is a collection of events that appear to be related to one another or appear to be committed by the same threat. Actors. Same
03:14
same bad guys, if you will.
03:16
As these as the types of events or incidents are grouped together, there could be a little slightly easier task of doing some attribution because you might recognize a similar methodology, a similar
03:30
technique of achieving some goal
03:35
and those things could be combined and looked at under a, uh,
03:39
a magnifying glass to see is this related information?
03:45
Do these people that are all taking these actions appear to be part of the same organization?
03:49
It is difficult work to do for sure,
03:52
with more modern machine learning tools,
03:55
a lot of threat intelligence platforms and other technology that's available,
04:01
we'll try to do some analysis on disparate pieces of information, trying to look for those patterns, trying to find a way to
04:10
link things together in a manner that's
04:13
that reaches some sort of a conclusion. If you recall from the last model there was a demonstration of the multi go tool,
04:20
and there are certainly other ones like like multi go. But that's just one that's, Ah,
04:26
easy for everybody to get their hands on because it's free. There's at least a free version of it. That's not a machine learning tool per se. But it can help to organize information, perhaps and more of a geospatial
04:40
realm
04:41
where you're looking at where and when a new attack happened. Where did the traffic come from?
04:48
Is there
04:49
concluding rather correlating evidence that shows that certain activities happened along a timeline from certain physical locations,
04:59
which could also lend credence to certain conclusions being correct or incorrect for that matter? So there's a lot of angles to this. The important takeaway here is to think about how difficult attribution is and how careful the analyst must be in order to get right within the limits of their
05:17
subject matter expertise
05:19
and the tools that they have available

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor