Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Transcription

00:04
all right. So as I was talking about earlier nation state attribution is probably the most difficult type of analysis to do. Especially since during
00:14
the late 2016 early 2017
00:17
there's been various news stories about malware being stolen
00:22
from the NSA. You know, anyone who's following this story on wiki leaks
00:27
is already somewhat familiar with these
00:30
with these concerns and also because of that story breaking. It was also discovered that
00:37
the attribution methodologies that have been used in the past
00:42
may not be good enough anymore. It's certainly possible for any organization that's that's developing mount, where to try to make it appear as if it came from somewhere else. That's part of covering your tracks. That's part of obfuscation and remaining undetected. So spoofing I P addresses using proxy chains,
01:00
writing code in different languages. And when I meet my different spoken languages
01:04
using, you know, a little luck,
01:07
cultural clues, these are all things that could be done to throw a investigator off the path off the scent. This might make them focus on something which they think is really true, which traces us back to the
01:22
the cognitive biases and logical fallacies that we talked about a little bit earlier in this module. So geopolitics is a complex subject in a
01:30
one that's endlessly fascinating for me from certain points of view
01:36
as it relates to cyber espionage, cyber terrorism and other kinds of cyber attacks. It certainly has a lot of complexity and
01:44
various levels of intrigue and mystery. So in the course of doing some analysis, it could be very difficult to conclusively prove that this particular Mao where this attack came from this nation state or this this Packer group,
02:04
because there's a large market
02:07
that's open to anybody who wants to purchase malware or wants to have mount were designed for them.
02:12
This further complicates the issue. So many open source tools also exist, which can be used to great malware very quickly, very easily,
02:22
with, in some cases, very little skill required by the persons
02:27
doing the work
02:28
From a United States perspective. Being concerned about China, Russia, North Korea and Iran
02:34
is part of the daily work flow for anyone who's working in a classified, classified space or national security capacity.
02:46
So we see some examples of
02:49
different types of sabotage espionage.
02:53
First, we're gonna look at is
02:55
Iron Gate in Stuxnet.
02:58
So have a look at the hacker news for some information about Iron Gate as relates to Stuxnet, this is is they're both, uh, industrial control systems related malware.
03:13
So skate A systems in particular
03:16
were targeted.
03:19
And if you, uh this is a pretty good website gives a decent amount of information,
03:25
it's not super technicals of people that are newer, too.
03:29
Threat analysis will have. Ah, needs your time too.
03:32
Read the stories and figure out what you're looking at.
03:37
But they do go into a decent amount of detail about how the malware works
03:42
and also, uh,
03:45
trying to get at the question Who wrote it?
03:49
Who's created This
03:51
could be some some interesting clues to consider.
03:53
Then we have ah, dragon fly.
03:58
So power outage caused by hackers.
04:00
This happened early in 2016.
04:05
So similar to stuxnet going after skate of systems.
04:11
And, uh, possibly
04:14
there are some theories that this is
04:16
produced by the Russians, perhaps,
04:21
but good information, really, regardless,
04:25
and this kind of stuff is pretty fascinating. In my opinion,
04:29
trying to look at the work of other analysts can be very illuminating because you can see
04:33
what kind of methodology they used. Hopefully, there's some information available to show how something was done or the conclusion was reached.
04:45
Then we have the shadow brokers
04:46
trying to sell stolen s a hacking tools
04:53
and they're trying to claim credit for this. So in this case, maybe attribution could be a little bit more straightforward,
05:01
But again, there's no proof. Uh, just because someone claims responsibility doesn't mean that they actually did it.
05:10
I'm not saying there's no proof in this case. I'm just saying in a general sense,
05:15
and that is always something to be aware of
05:18
because there are so many ways to spoof information so many ways to make it appear as if
05:25
traffic came from somewhere, that it really didn't and so on and so on.
05:29
Anyone who spent any time doing pen testing work would have at least that level of understanding of how to hide their own tracks,
05:38
surmising, of course, anybody else who's doing malware
05:42
creating malware would also use the same techniques to remain obfuscated or or even to appear to be
05:48
pointing at another entity.
05:53
So it is something to think about, and probably one of the most fascinating part of doing summer threat analysis.

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor